CVE-2025-52665

A malicious actor with access to the management network could exploit a misconfiguration in UniFis door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
 
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).  

Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
hackeroneCNA
---
---
CISA-ADPADP
10 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
uiunifi_access
3.3.22 ≤
𝑥
< 4.0.21
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191