10.0
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 6.0
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
Description
A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.
Affected (1)
Products: Ui: Unifi Access
Configuration A
| Vulnerable Software | Affected Versions |
|---|---|
| From 3.3.22 to 4.0.21 |
References (1)
Source: support@hackerone.com
Vendor Advisory
Timeline (6)
11/12/20252 changes
Initial Analysis - Reference Type
02:51 PM
- -
+ HackerOne: https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191 Types: Vendor Advisory
Initial Analysis - CPE Configuration
02:51 PM
- -
+
OR
*cpe:2.3:a:ui:unifi_access:*:*:*:*:*:*:*:* versions from (including) 3.3.22 up to (excluding) 4.0.21
10/31/20254 changes
CVE Modified - CWE
02:16 PM
- -
+ CWE-306
CVE Modified - CVSS V3.1
02:16 PM
- -
+ AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
New CVE Received - Reference
12:15 AM
- -
+ https://community.ui.com/releases/Security-Advisory-Bulletin-056/ce97352d-91cd-40a7-a2f4-2c73b3b30191
New CVE Received - Description
12:15 AM
- -
+ A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.
Affected Products:
UniFi Access Application (Version 3.3.22 through 3.4.31).
Mitigation:
Update your UniFi Access Application to Version 4.0.21 or later.