Cyberdudebivash

UniFi Door Access API Exposed Without Authentication (CVSS 10.0)

, , ,
CYBERDUDEBIVASH

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

UniFi Door Access API Exposed Without Authentication (CVSS 10.0)

By CyberDudeBivash · 28 Oct 2025 · cyberbivash.blogspot.com · cyberdudebivash.com

LinkedIn: ThreatWire cryptobivash.code.blog

Critical: Ubiquiti’s UniFi Access application contained a flaw that exposed its management API without authentication. Ubiquiti rates it CVSS 10.0 (Critical) and urges immediate updates to v4.0.21 or later. Patch now.

The bug (tracked as CVE-2025-52665) allowed anyone on the management network to hit privileged endpoints with no login, enabling full takeover of doors, users, and audit logs. If you run UniFi Access for buildings or offices, treat this as an emergency.Contents

Scope: Affected & Fixed Versions

  • Affected app: UniFi Access (Door Access) application.
  • CVE: CVE-2025-52665 · CVSS 10.0.
  • Affected versions (vendor & media reports): approximately 3.3.22 → 3.4.31.
  • Fixed version: 4.0.21+ — update immediately, then verify build numbers across all controllers/gateways.

Impact & Abuse Scenarios

  • Unauthenticated API access: management endpoints respond without a token on the LAN/management subnet.
  • Physical security takeover: add/remove users & badges, unlock doors, change schedules.
  • Evidence tampering: clear or forge access logs; disable alarms.
  • Pivots: harvest credentials/tokens and pivot to adjacent UniFi apps (Protect/Talk) if single host is shared and not isolated.

Immediate Fix (Do This Now)

  1. Patch: upgrade UniFi Access application to 4.0.21 or later on all controllers.
  2. Rotate secrets: reset local admin creds, revoke API keys/tokens; re-issue mobile/app credentials.
  3. Network isolation: place Access controllers on a dedicated management VLAN/subnet; restrict by ACL to admin IPs only.
  4. Firewall & WAF: block controller exposure to the internet; restrict inbound to HTTPS from jump/bastion hosts; monitor for strange API paths.
  5. Vendor advisories: subscribe and enable auto-update windows; schedule quarterly security reviews.

Detections & Hunt Queries

  • Web logs: look for spikes to Access /api/* without accompanying auth headers; multiple 200s from unusual IPs.
  • Controller logs: creation/deletion of badges/users outside business hours; config changes followed by door events.
  • Network: scans to the controller from guest/IoT VLANs; ARP sources not in allowlist.
  • XDR/SIEM: alerts on new admin accounts, token generations, or API errors across UniFi stacks in the same host.

Hardening Checklist (Prevent the Next One)

  • Never co-host physical access apps with internet-facing workloads; use separate hosts/VMs.
  • Put the controller behind a VPN or zero-trust broker; no direct WAN exposure.
  • Enforce MFA for admin users; short-lived API tokens; IP allowlists.
  • Daily backup & secure export of controller config and access logs (tamper-evident storage).
  • Quarterly red-team of badge lifecycle (enrol/revoke), door schedules, and emergency unlock procedures.

Recommended by CyberDudeBivash (Partner Links)

Patch, monitor, and train fast with our vetted partners:

Kaspersky EDR/XDR
Detect controller abuse & lateral movementEdureka — SOC & OT Security
Train teams to secure access systemsTurboVPN
Admin access over VPN — no WAN exposure

Alibaba (Global)
Secure VMs for controller isolationAliExpress (Global)
Hardware security keys & lab gearRewardful
Run your internal partner program

CyberDudeBivash Services & Apps

Need help now? We deliver UniFi Access emergency patching, config hardening, controller isolation, and 24×7 incident response.

  • PhishRadar AI — detects phishing & prompt-injection
  • SessionShield — protects admin sessions & tokens
  • Threat Analyser GUI — intel dashboards + alert correlation

Explore Apps & ProductsBook an Emergency ConsultSubscribe to ThreatWire

FAQ

Q: Is this internet-remote?
A: The critical risk is on the management network. Public exposure makes it worse. Keep controllers off the WAN.

Q: We’re on 3.x — safe?
A: No. Update to 4.0.21+ immediately and validate all nodes after upgrade.

Q: Do we need to re-issue badges?
A: Re-issue badges and audit schedules if logs show unauthorized changes.

Next Reads

Affiliate Disclosure: We may earn commissions from partner links at no extra cost to you. Opinions are independent.

CyberDudeBivash — Global Cybersecurity Apps, Services & Threat Intelligence.

cyberbivash.blogspot.com · cyberdudebivash.com · cryptobivash.code.blog

#CyberDudeBivash #UniFi #Ubiquiti #DoorAccess #CVE202552665 #CVSS10 #OTSecurity #ThreatWire

Leave a comment

Design a site like this with WordPress.com
Get started