CVE-2025-52665 Scanner

UniFi Access is a robust access control system used by businesses and organizations to manage entry points and secure buildings. It offers a scalable solution with integration capabilities for various security devices, providing a comprehensive management platform. UniFi Access is designed to be user-friendly, allowing for easy installation and configuration by IT administrators. This system is typically deployed in environments requiring stringent control over access permissions, ensuring that non-authorized personnel cannot gain entry. Organizations of different sizes leverage this software for its reliability and the convenience of centralized management. Such systems are critical in industries where access to physical locations must be strictly monitored and regulated.

The Remote Code Execution (RCE) vulnerability found in UniFi Access arises from a broken access control misconfiguration. This vulnerability allows attackers to exploit network access to the management APIs without proper authentication. By leveraging this flaw, unauthorized users can potentially gain control over the system, executing arbitrary code. This security lapse exposes sensitive management functions to unauthenticated network users, breaching the intended security layers. Generally, flaws in access control can lead to significant trust and operational issues within affected environments. It underscores the critical need for rigorous configuration management in security-critical applications.

This vulnerability is technically rooted in the way UniFi Access's management API is exposed due to a misconfiguration. It allows HTTP requests to endpoints that should be protected by authentication measures. The vulnerability can be demonstrated by triggering an unauthorized export of a backup through specific tools or scripts. Technically, the software fails to enforce requisite authentication checks on certain API endpoints. This lapse permits attackers to perform operations that would normally require administrative permissions. Identifying such vulnerabilities requires in-depth testing for authentication loopholes in the API surface.

Should this vulnerability be exploited, it could result in unauthorized individuals gaining admin-level access to sensitive management functions. This may lead to the manipulation or theft of data, disruption of system operations, and potentially more severe compromises of additional network systems connected to the affected instance. Such exploits undermine trust in the system's integrity and can have legal or financial repercussions for the organizations involved. Additionally, if left unaddressed, it may provide a foothold for further system infiltrations and exploit chains executed by malicious actors.

REFERENCES

• https://community.ui.com/releases/Security-Advisory-Bulletin-056-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
• https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
• https://nvd.nist.gov/vuln/detail/CVE-2025-52665