Ubiquiti UniFi Door Access App Vulnerability Exposes API Management Without Authentication

Ubiquiti UniFi Door Access App Vulnerability Exposes API Management Without Authentication

Posted on By CWS

Ubiquiti’s UniFi Entry software has been discovered weak to a crucial flaw that leaves its administration API uncovered with out authentication.

Found by Catchify Safety, this difficulty permits malicious actors on the administration community to probably take full management of door entry techniques, elevating alarms for organizations counting on the platform for bodily safety.

The vulnerability stems from a misconfiguration launched in model 3.3.22 of the UniFi Entry app. With out correct safeguards, attackers may manipulate API endpoints to change entry controls, unlock doorways, or disrupt operations.

This publicity turns a routine community entry right into a gateway for unauthorized adjustments, particularly in environments the place bodily and digital safety intersect.

UniFi Door Entry App Vulnerability

CVE-2025-52665 impacts the UniFi Entry Software particularly, concentrating on variations from 3.3.22 to three.4.31.

The flaw allows network-based exploitation with no privileges required, amplifying its hazard in related setups like company places of work or good buildings.

Ubiquiti acknowledged the problem, noting it was patched in model 4.0.21, urging fast updates to stop exploitation.

Safety researchers at Catchify Safety (@catchifySA) highlighted how the unauthenticated API may result in cascading failures, comparable to unauthorized entry or information leaks from built-in techniques.

Rated at an ideal CVSS v3.1 rating of 10.0, this crucial vulnerability poses excessive dangers throughout confidentiality, integrity, and availability.

Attackers want solely community entry, making it easy for insiders or those that’ve breached perimeter defenses.

CVE IDAffected ProductsCVSS v3.1 Base ScoreVector StringDescriptionCVE-2025-52665UniFi Entry Software (v3.3.22 – 3.4.31)10.0 (Important)CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HUnauthenticated API publicity permitting full administration management.

Ubiquiti recommends updating to model 4.0.21 or later as the first mitigation. Organizations ought to audit community configurations and monitor for uncommon API exercise within the interim.

This incident underscores the necessity for sturdy authentication in IoT and entry management software program.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , , ,

Related Posts

Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched Cyber Security News
Cognizant Hit With Multiple US Class-Action Lawsuits Following TriZetto Data Breach Cognizant Hit With Multiple US Class-Action Lawsuits Following TriZetto Data Breach Cyber Security News
LangGraph Vulnerability Allows Malicious Python Code Execution During Deserialization LangGraph Vulnerability Allows Malicious Python Code Execution During Deserialization Cyber Security News
High-Value Windows RDS Exploit Surfaces on Dark Web High-Value Windows RDS Exploit Surfaces on Dark Web Cyber Security News
New Zip Slip Vulnerability Allows Attackers to Manipulate ZIP Files During Decompression New Zip Slip Vulnerability Allows Attackers to Manipulate ZIP Files During Decompression Cyber Security News
PgAdmin Vulnerability Lets Attackers Gain Unauthorised Account Access PgAdmin Vulnerability Lets Attackers Gain Unauthorised Account Access Cyber Security News