Cybersecurity

UniFi Door Access App Vulnerability

Ubiquiti’s UniFi Access application has been identified with a critical vulnerability, exposing its management API without authentication. This issue, discovered by Catchify Security, allows malicious actors on the management network to potentially take full control of door access systems.

The vulnerability is associated with a misconfiguration introduced in version 3.3.22 of the UniFi Access app. This misconfiguration permits attackers to manipulate API endpoints, potentially altering access controls or disrupting operations.

Technical Details

The vulnerability, designated as CVE-2025-52665, affects UniFi Access Application versions 3.3.22 to 3.4.31. The flaw allows network-based exploitation without requiring privileges, posing a significant risk in environments such as corporate offices or smart buildings.

Ubiquiti has acknowledged the issue and has patched it in version 4.0.21. Immediate updates are recommended to prevent exploitation. Security researchers have emphasized the unauthenticated API’s potential to cause cascading failures, such as unauthorized entry or data leaks.

Vulnerability Impact

This critical vulnerability has been rated with a CVSS v3.1 score of 10.0, indicating high risks across confidentiality, integrity, and availability. Attackers only require network access, making it feasible for insiders or those who have breached perimeter defenses.

Ubiquiti advises updating to version 4.0.21 or later as a primary mitigation measure. Organizations should audit network configurations and monitor for unusual API activity in the interim. This incident highlights the importance of robust authentication in IoT and access control software.