CVE-2025-52665 - Vulnerability Details

A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later. Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31).   Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact total

Vendors	Products
Ui	Unifi Access Unifi Access Points Unifi Os

Configuration 1 [-]

cpe:2.3:a:ui:unifi_access:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191

History

Wed, 12 Nov 2025 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ui unifi Access
CPEs		cpe:2.3:a:ui:unifi_access::::::::
Vendors & Products		Ui unifi Access

Fri, 31 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-306
Metrics		cvssV3_1 `{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 31 Oct 2025 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ui Ui unifi Access Points Ui unifi Os
Vendors & Products		Ui Ui unifi Access Points Ui unifi Os

Thu, 30 Oct 2025 23:45:00 +0000

Type	Values Removed	Values Added
Description		A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later. Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31).   Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.
References		https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2025-10-30T23:30:28.329Z

Updated: 2025-10-31T14:07:27.850Z

Reserved: 2025-06-18T15:00:00.895Z

Link: CVE-2025-52665

Vulnrichment

Updated: 2025-10-31T14:05:55.588Z

NVD

Status : Analyzed

Published: 2025-10-31T00:15:37.000

Modified: 2025-11-12T14:51:21.057

Link: CVE-2025-52665

Redhat

No data.

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object