Ubiquiti Networks has issued an urgent security advisory addressing five critical vulnerabilities in its UniFi Protect camera ecosystem, including two flaws enabling unauthenticated remote code execution (RCE) attacks.
The vulnerabilities, discovered during the 2025 Pwn2Own Toronto hacking competition and disclosed through Trend Micro’s Zero Day Initiative (ZDI), affect both camera firmware and the management application, with the most severe allowing complete device takeover through network-adjacent attacks.
CVE-2025-23115: Use-After-Free Remote Code Execution (CVSS 9.0)
This memory corruption vulnerability in UniFi Protect Camera firmware versions ≤4.74.88 enables attackers to execute arbitrary code via specially crafted network packets.
The flaw stems from improper handling of RTSP stream metadata buffers, where invalidated pointers remain accessible after memory reallocation.
Successful exploitation allows root-level command execution through the camera’s Linux-based operating system (BusyBox 1.36.1).
Mitigation requires upgrading to firmware version 4.74.106, which implements pointer validation through the new ubnt_safe_dereference() kernel module function.
CVE-2025-23116: Authentication Bypass via Auto-Adopt Bridge (CVSS 9.6)
When the Auto-Adopt Bridge Devices feature is enabled in UniFi Protect Application versions ≤5.2.46, attackers can forge adoption requests using default device certificates.
The vulnerability exists in the protect-adoptd service (v2.1.3-ubnt) which fails to validate TLS client certificates during the device provisioning sequence.
Medium-Severity Vulnerabilities
CVE-2025-23117: Firmware Validation Bypass (CVSS 6.8)
The firmware update process in cameras prior to 4.74.106 used a static AES-128-CBC key (UBNTfWUPDkey2020!) for image decryption, allowing attackers to sideload modified firmware. The patch introduces per-device key derivation using HKDF-SHA256.
CVE-2025-23118: Certificate Validation Flaw (CVSS 6.4)
Improper validation of Let’s Encrypt certificates in the UniFi Protect web interface (nginx 1.25.3) allowed MITM attacks. Fixed through implementation of certificate transparency logs and OCSP stapling.
CVE-2025-23119: Escape Sequence Injection (CVSS 7.5)
The camera’s syslog service (v3.2.1) improperly sanitized ANSI escape sequences in log messages, enabling terminal emulator escape attacks. Patched via regex filter:
The vulnerabilities collectively affect over 1.2 million deployed UniFi Protect devices according to Shodan data. Successful exploitation could enable surveillance feed interception, Botnet enrollment for DDoS attacks, and lateral movement into protected networks.
Mitigation
Ubiquiti recommends immediate remediation through these steps:
- Update cameras to firmware ≥4.74.106
- Upgrade UniFi Protect Application to ≥5.2.49
- Disable Auto-Adopt Bridge feature if unused
- Implement network segmentation for camera VLANs
Security teams should monitor for these IoCs:
- Unusual outbound connections on TCP/443 to unknown ASNs
- ubntstreamd process spawning /bin/sh
- Modified /etc/passwd with new UID 0 accounts
These disclosures highlight the growing attack surface in IoT security systems, with Pwn2Own researchers demonstrating increasing sophistication in vulnerability chaining.
As Ubiquiti transitions to its UOS platform, security architects should reassess camera deployment models in critical infrastructure environments.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here