CVE-2025-52665
published 2025-10-31CVE-2025-52665: A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a…
PriorityP192critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.97%
98.5th percentile
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubiquiti_inc | unifi_access_application | 3.3.22 – 3.4.31 | — |
| ui | unifi_access | >= 3.3.22 < 4.0.21 | 4.0.21 |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)"; flow:established,to_server; http.uri; content:"/api/ucore/backup/export"; fast_pattern; http.request_body; content:"|22|dir|22 3a|"; pcre:"/^\s*?\x22[^\x22]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000; reference:cve,2025-52665; classtype:web-application-attack; sid:2065968; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_52665, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_12_01, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect unauthenticated GET requests to /api/v1/user_assets/touch_pass/keys on port 9780; a successful response will contain JSON fields 'google_pass_auth_key' and/or 'apple_nfc' with HTTP 200 and Content-Type application/json. ↗
- →Detect unauthenticated POST to /api/ucore/backup/export on port 9780 with a 'dir' JSON field containing shell metacharacters (;, &, `, |, $) — indicative of command injection exploitation. ↗
- →Detect unauthenticated POST to /api/v1/user_assets/nfc on port 9780; a successful exploitation response returns JSON body containing 'CODE_SUCCESS' with HTTP 200. ↗
- →Use Shodan/FOFA to identify exposed UniFi targets: Shodan query 'html:"UniFi Dream Machine SE"' or 'http.html:"UniFi OS"'; FOFA query 'body="UniFi OS"'. ↗
- →Confirm target is a vulnerable UniFi device by checking the /login page for the strings 'UniFi OS' or 'UniFi Dream Machine SE' before attempting exploitation steps. ↗
- ·The vulnerability was introduced in version 3.3.22 and only affects UniFi Access Application versions 3.3.22 through 3.4.31; versions prior to 3.3.22 and 4.0.21+ are not affected. ↗
- ·The Nuclei template for the RCE vector (CVE-2025-52665) is marked 'verified: false', meaning the RCE chain via /api/ucore/backup/export has not been independently confirmed by the template author. ↗
- ·The Snort/ET rule requires TLS decryption to be effective, as indicated by the metadata deployment tag 'SSLDecrypt' and 'tls_state TLSDecrypt'. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-2rj5-gh6q-72fp: A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that expose
ghsa_unreviewed·2025-10-31
CVE-2025-52665 [CRITICAL] CWE-306 GHSA-2rj5-gh6q-72fp: A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that expose
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
VulnCheck
ui unifi_access Missing Authentication for Critical Function
vulncheck·2025·CVSS 10.0
CVE-2025-52665 [CRITICAL] ui unifi_access Missing Authentication for Critical Function
ui unifi_access Missing Authentication for Critical Function
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
Affected: Ubiquiti, Inc UniFi Access
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec.net/cti/cve-explorer/CVE-2025-52665
Suricata
ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)
suricata·2025-12-01·CVSS 10.0
CVE-2025-52665 [CRITICAL] ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)
ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS UniFi Access Unauthenticated Remote Code Execution (CVE-2025-52665)"; flow:established,to_server; http.uri; content:"/api/ucore/backup/export"; fast_pattern; http.request_body; content:"|22|dir|22 3a|"; pcre:"/^\s*?\x22[^\x22]*?[\x3b\x26\x60\x7c\x24]/R"; reference:url,www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000; reference:cve,2025-52665; classtype:web-application-attack; sid:2065968; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_12_01, cve CVE_2025_52665, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Descriptio
Nuclei
UniFi - NFC Credentials
nuclei
UniFi - NFC Credentials
UniFi - NFC Credentials
An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access credentials.
Template:
id: unifi-nfc-credentials
info:
name: UniFi - NFC Credentials
author: DhiyaneshDk
severity: high
description: |
An unauthenticated GET to /api/v1/user_assets/touch_pass/keys returns JSON containing live credential material (PEM private key, Apple NFC/express key values, terminal type, TTL, google_pass_auth_key block, version identifiers) over a publicly reachable port — allowing theft and immediate misuse of mobile/NFC access c
Nuclei
UniFi Access - Broken Access Control
nuclei·CVSS 10.0
CVE-2025-52665 [CRITICAL] UniFi Access - Broken Access Control
UniFi Access - Broken Access Control
UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access.
Template:
id: CVE-2025-52665
info:
name: UniFi Access - Broken Access Control
author: theamanrawat,DhiyaneshDK
severity: critical
description: |
UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access.
impact: |
Attackers on the management network can access management APIs without authe
Nuclei
UniFi - Unauthenticated Creation Access For Users
nuclei
UniFi - Unauthenticated Creation Access For Users
UniFi - Unauthenticated Creation Access For Users
The /api/v1/user_assets/nfc endpoint accepts unauthenticated POST requests with NFC provisioning data (e.g., alias, asset_id, nfc_id, tokens) and returns {"code":"CODE_SUCCESS"} over HTTP, confirming backend processing without any authentication or session validation.
Template:
id: unifi-create-user
info:
name: UniFi - Unauthenticated Creation Access For Users
author: DhiyaneshDk
severity: high
description: |
The /api/v1/user_assets/nfc endpoint accepts unauthenticated POST requests with NFC provisioning data (e.g., alias, asset_id, nfc_id, tokens) and returns {"code":"CODE_SUCCESS"} over HTTP, confirming backend processing without any authentication or session validation.
reference:
- https://www.catchify.sa/post/cve-2025-52665-rce-in-
2025-10-31
Published
Exploited in the wild