A critical zero-day flaw has been discovered in Ubiquiti's UniFi Access application, leaving its management API completely exposed without authentication. This vulnerability allows malicious actors with network access to potentially seize full control of an organization's physical door access systems.
Critical Misconfiguration
The vulnerability, tracked as CVE-2025-52665, stems from a simple misconfiguration introduced in version 3.3.22 of the UniFi Access app. Because proper safeguards were missing, attackers can manipulate the application's API endpoints to perform unauthorized actions such as altering access controls, unlocking doors, or disrupting operations.
This exposure transforms routine network access into a high risk pathway for attackers, especially in corporate offices or smart buildings where physical and digital security converge. The flaw affects UniFi Access Application versions from 3.3.22 to 3.4.31.
Perfect CVSS Score and Mitigation
Discovered by Catchify Security, the vulnerability is rated at a perfect CVSS v3.1 score of 10.0, indicating maximum risk across confidentiality, integrity, and availability. Attackers require only network access and no prior privileges to exploit the issue, amplifying the danger posed by insiders or those who have successfully breached perimeter defenses.
Ubiquiti has acknowledged the flaw and patched it in version 4.0.21. Immediate updates are the primary and most effective form of mitigation. Organizations are strongly urged to update their UniFi Access application to version 4.0.21 or later right away. In the interim, administrators should audit network configurations and monitor for any unusual API activity to prevent unauthorized access.
This incident strongly underscores the urgent need for robust, unbypassable authentication in all Internet of Things (IoT) and physical access control software.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
