CVE-2025-52665
Published: 31 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-52665 is a critical vulnerability (CVSS 10.0, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) classified under CWE-306 (Missing Authentication for Critical Function) in UniFi's door access application, UniFi Access. The flaw arises from a misconfiguration that exposes a management API without proper authentication, introduced in version 3.3.22 and affecting versions 3.3.22 through 3.4.31.
A malicious actor with access to the management network can exploit this vulnerability to interact with the unauthenticated management API. The attack requires low complexity, no user interaction or privileges, and enables high-impact consequences across confidentiality, integrity, and availability with a changed scope, potentially allowing full compromise of the affected application.
Ubiquiti's Security Advisory Bulletin 056 recommends updating the UniFi Access Application to version 4.0.21 or later as the primary mitigation. Additional details are available at https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability exposes an unauthenticated management API accessible over the network (AV:N/PR:N), directly enabling exploitation of a public-facing or remotely accessible application as per T1190.