Critical UniFi Protect Camera Vulnerability Enables Remote Code Execution Attacks

Ubiquiti Networks has issued an urgent security advisory (Bulletin 046) warning of multiple critical vulnerabilities in its UniFi Protect camera ecosystem, including a high-severity remote code execution (RCE) flaw that could allow attackers to hijack devices and infiltrate network infrastructure.

The vulnerabilities, discovered during the Pwn2Own 2025 hacking competition, affect UniFi Protect Cameras (firmware v4.74.88 and earlier) and the UniFi Protect Application (v5.2.46 and earlier).

Technical Breakdown of Critical Vulnerabilities

The most severe flaws include:

1. CVE-2025-23115 (CVSS 9.0): A use-after-free memory corruption vulnerability in the camera firmware’s HTTP management interface.
2. Attackers on the same network can exploit this to execute arbitrary code by sending specially crafted packets, potentially gaining full control of the device.
3. CVE-2025-23116 (CVSS 9.6): An authentication bypass in the UniFi Protect Application when the Auto-Adopt Bridge Devices feature is enabled. This allows adjacent network attackers—such as those on a shared VLAN or subnet—to adopt unauthorized cameras and manipulate their configurations.
4. CVE-2025-23119 (CVSS 7.5): Improper neutralization of escape sequences in the camera’s command-line interface (CLI), enabling unauthenticated RCE via maliciously formatted API requests.

Additional vulnerabilities include insufficient firmware validation (CVE-2025-23117) and improper certificate checks (CVE-2025-23118), which could let attackers deploy tampered firmware or bypass TLS protections.

Exploitation Scenarios and Risks

Successful exploitation of CVE-2025-23115 or CVE-2025-23116 could enable:

• Lateral Movement: Compromised cameras could serve as entry points to pivot into broader network infrastructure, including routers and NAS devices.
• Surveillance Hijacking: Attackers could disable cameras, exfiltrate footage, or inject fake video streams.
• Botnet Recruitment: Vulnerable devices might be co-opted into DDoS botnets, as seen in prior Ubiquiti attacks leveraging UDP amplification.

Researchers at Synacktiv and STEALIEN Inc. demonstrated these exploits during Pwn2Own, highlighting the risks of unpatched IoT devices in enterprise environments.

Mitigation and Firmware Updates

Ubiquiti has released patches in UniFi Protect Camera firmware v4.74.106 and UniFi Protect Application v5.2.49.

Administrators must:

1. Immediately update all devices via the UniFi OS Console or manual SSH methods.
2. Disable Auto-Adopt Bridge Devices if not required, reducing exposure to CVE-2025-23116.
3. Segment camera traffic into isolated VLANs to limit adjacent network access.

For legacy systems, Ubiquiti recommends using Python-based scripts to validate firmware integrity, as shown in their ProtectApiClient module:

pythonfrom uiprotect import ProtectApiClient  
protect = ProtectApiClient(host, port, username, password, verify_ssl=True)  
await protect.update()  # Forces firmware check  

Industry Reactions and Best Practices

The Zero Day Initiative (ZDI) emphasized the urgency of patching, noting that UniFi devices are frequently targeted due to their widespread use in SMB and home networks.

Cybersecurity firm Invicti warned that RCE flaws like these often stem from improper input sanitization in HTTP handlers and firmware update mechanisms.

Proactive Steps for Users:

• Monitor for unusual traffic on UDP/10001 and UDP/7004, historically abused in Ubiquiti exploits.
• Implement strict firewall rules to block unauthorized access to the UniFi Protect Application’s admin interface (default port 7443).
• Regularly audit device logs for indicators of compromise, such as unexpected firmware changes or CLI activity.

These vulnerabilities underscore the critical need for robust IoT security practices, particularly in devices handling sensitive surveillance data.

With over 20,000 Ubiquiti devices still exposed to prior flaws, organizations must prioritize patch management and network segmentation.

As Ubiquiti works to rebuild trust post-disclosure, the incident serves as a stark reminder: in an era of interconnected devices, a single vulnerable camera can become the weakest link in an entire network’s defense.

Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response, and Threat Hunting - Register Here