Ubiquiti’s UniFi Access application has been found vulnerable to a critical flaw that leaves its management API exposed without authentication.
Discovered by Catchify Security, this issue allows malicious actors on the management network to potentially take full control of door access systems, raising alarms for organizations relying on the platform for physical security.
The vulnerability stems from a misconfiguration introduced in version 3.3.22 of the UniFi Access app. Without proper safeguards, attackers could manipulate API endpoints to alter access controls, unlock doors, or disrupt operations.
This exposure turns a routine network access into a gateway for unauthorized changes, especially in environments where physical and digital security intersect.
UniFi Door Access App Vulnerability
CVE-2025-52665 affects the UniFi Access Application specifically, targeting versions from 3.3.22 to 3.4.31.
The flaw enables network-based exploitation with no privileges required, amplifying its danger in connected setups like corporate offices or smart buildings.
Ubiquiti acknowledged the issue, noting it was patched in version 4.0.21, urging immediate updates to prevent exploitation.
Security researchers at Catchify Security (@catchifySA) highlighted how the unauthenticated API could lead to cascading failures, such as unauthorized entry or data leaks from integrated systems.
Rated at a perfect CVSS v3.1 score of 10.0, this critical vulnerability poses high risks across confidentiality, integrity, and availability.
Attackers need only network access, making it straightforward for insiders or those who’ve breached perimeter defenses.
| CVE ID | Affected Products | CVSS v3.1 Base Score | Vector String | Description |
|---|---|---|---|---|
| CVE-2025-52665 | UniFi Access Application (v3.3.22 – 3.4.31) | 10.0 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H | Unauthenticated API exposure allowing full management control. |
Ubiquiti recommends updating to version 4.0.21 or later as the primary mitigation. Organizations should audit network configurations and monitor for unusual API activity in the interim.
This incident underscores the need for robust authentication in IoT and access control software.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
