A critical unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2025-52665, CVSS 9.8) was discovered in Ubiquiti’s UniFi OS, exposing the backup API infrastructure across UniFi devices (Network, Protect, Access). The flaw stemmed from improper input validation in the `/api/ucore/backup/export` endpoint, allowing attackers to inject shell metacharacters via the `dir` parameter and execute arbitrary system commands with elevated privileges. Exploitation involved chaining unsanitized inputs in commands like `mktemp`, `tar`, and `du`, leading to full system compromise, including reverse shell access and sensitive data exfiltration.The vulnerability was exacerbated by misconfigured network exposure the endpoint, intended for local access (`127.0.0.1`), was inadvertently exposed on port 9780 via an external proxy. Researchers also uncovered additional unauthenticated API endpoints enabling unauthorized access to NFC credentials, cryptographic keys, and door control systems. While no confirmed breaches were reported, the flaw posed a severe risk of large-scale device takeover, lateral movement within networks, and potential disruption of physical security systems (e.g., access controls). Ubiquiti issued patches, but unpatched systems remain at risk of complete operational sabotage or data theft by remote attackers.
Source: https://cyberpress.org/unifi-os-vulnerability/
TPRM report: https://www.rankiteo.com/company/ubiquiti-
"id": "ubi2493124110325",
"linkid": "ubiquiti-",
"type": "Vulnerability",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Networking Hardware/Software',
'location': 'Global',
'name': 'Ubiquiti Inc.',
'type': 'Technology Company'}],
'attack_vector': 'Network',
'customer_advisories': 'Users advised to update UniFi OS to the latest '
'version and restrict API endpoint exposure.',
'data_breach': {'data_exfiltration': 'Demonstrated in proof-of-concept (e.g., '
'sensitive files, reverse shell access)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['System files',
'NFC credentials',
'Cryptographic keys',
'Access control data']},
'description': 'A critical unauthenticated Remote Code Execution (RCE) '
'vulnerability (CVE-2025-52665) was discovered in Ubiquiti’s '
'UniFi OS, affecting the backup API infrastructure across '
'UniFi devices. The flaw stems from improper input validation '
'in the backup export endpoint (/api/ucore/backup/export), '
'allowing attackers to execute arbitrary commands with '
'elevated privileges via shell metacharacter injection. The '
'vulnerability was exposed due to a misconfigured API endpoint '
'lacking access controls, which was unintentionally proxied to '
'an external-facing port (9780). Successful exploitation '
'enables full system compromise, including sensitive file '
'exfiltration and reverse shell access. Additional '
'unauthenticated endpoints were identified, exposing NFC '
'credential provisioning and cryptographic key material '
'retrieval. The discovery was rewarded with a $25,000 bounty, '
'underscoring its severity (CVSS 9.8).',
'impact': {'brand_reputation_impact': 'High (critical vulnerability with full '
'system compromise potential)',
'data_compromised': ['Sensitive files',
'NFC credentials',
'Cryptographic key material'],
'identity_theft_risk': 'High (NFC credentials and cryptographic '
'keys exposed)',
'operational_impact': 'Full system compromise, unauthorized access '
'to access control systems',
'systems_affected': ['UniFi OS (Backup API)',
'UniFi Network',
'UniFi Protect',
'UniFi Access',
'Door control systems']},
'initial_access_broker': {'backdoors_established': 'Reverse shell access '
'demonstrated',
'entry_point': '/api/ucore/backup/export (via port '
'9780)',
'high_value_targets': ['NFC credential systems',
'Door access controls',
'Cryptographic keys']},
'investigation_status': 'Disclosed (Proof-of-Concept Demonstrated)',
'lessons_learned': ['Unauthenticated API endpoints pose severe risks, '
'especially when exposed externally.',
'Input validation and sanitization are critical for '
'endpoints handling shell commands (e.g., `mktemp`, '
'`tar`).',
'Network segmentation and access controls must enforce '
'strict isolation for internal services (e.g., '
'127.0.0.1).',
'Live API documentation (e.g., Swagger) can inadvertently '
'aid attackers in reconnaissance.',
'Vulnerability chaining (e.g., RCE + unauthenticated '
'endpoints) amplifies impact.'],
'post_incident_analysis': {'corrective_actions': ['Patch CVE-2025-52665 to '
'fix input validation in '
'backup API.',
'Reconfigure network '
'proxies to restrict '
'internal service exposure.',
'Implement authentication '
'for all sensitive API '
'endpoints.',
'Replace shell command '
'chaining with safer '
'alternatives (e.g., direct '
'function calls).',
'Disable or secure live API '
'documentation in '
'production environments.',
'Conduct a comprehensive '
'security audit of UniFi OS '
'architecture.'],
'root_causes': ['Lack of input validation in '
'backup API endpoint.',
'Misconfigured proxy exposing '
'internal service (127.0.0.1) to '
'external network (port 9780).',
'Insufficient access controls for '
'sensitive API endpoints (e.g., '
'NFC provisioning).',
'Over-reliance on shell commands '
'without proper parameter '
'sanitization.',
'Exposure of live API '
'documentation (Swagger) aiding '
'endpoint discovery.']},
'recommendations': ['Apply the official patch for CVE-2025-52665 immediately.',
'Audit all UniFi OS API endpoints for unauthorized '
'exposure and lack of authentication.',
'Disable or restrict external access to internal-facing '
'services (e.g., port 9780).',
'Implement strict input validation for all parameters '
'processed by shell commands.',
'Monitor for unusual API activity, especially around '
'backup and credential endpoints.',
'Review and harden access controls for NFC credential and '
'cryptographic key management systems.',
'Conduct a thorough security assessment of the UniFi OS '
'architecture to identify similar vulnerabilities.'],
'references': [{'source': 'CVE Details',
'url': 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52665'},
{'source': 'Ubiquiti Security Advisory'}],
'response': {'containment_measures': ['Immediate patching of UniFi OS',
'Review of network access controls'],
'enhanced_monitoring': 'Recommended',
'network_segmentation': 'Recommended',
'remediation_measures': ['Restrict exposure of API endpoints '
'(e.g., port 9780)',
'Implement input '
'validation/sanitization for backup '
'API']},
'stakeholder_advisories': 'Organizations using UniFi OS urged to patch '
'immediately and review network configurations.',
'title': 'Critical Unauthenticated Remote Code Execution Vulnerability in '
'Ubiquiti’s UniFi OS (CVE-2025-52665)',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2025-52665 (Improper Input Validation in '
'Backup API Endpoint)'}