CVE-2014-2225

HIGH

Ubiquiti Networks UniFi Controller <3.2.1 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-2225. PoCs published by Seth Art.

AI-analyzed exploit summary This is a proof-of-concept for CVE-2014-2225, demonstrating a Cross-Site Request Forgery (CSRF) vulnerability in Ubiquiti UniFi, mFi, and AirVision controllers. The exploit uses JavaScript to send unauthorized POST requests to add an admin user without the victim's knowledge.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.

Exploits (1)

exploitdb WORKING POC
by Seth Art · textwebappshardware
https://www.exploit-db.com/exploits/34187

This is a proof-of-concept for CVE-2014-2225, demonstrating a Cross-Site Request Forgery (CSRF) vulnerability in Ubiquiti UniFi, mFi, and AirVision controllers. The exploit uses JavaScript to send unauthorized POST requests to add an admin user without the victim's knowledge.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: UniFi Controller v2.4.6, mFi Controller v2.0.15, AirVision Controller v2.1.3
No auth needed
Prerequisites: Victim must be authenticated and visit a malicious webpage
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
http://sethsec.blogspot.com/2014/07/cve-2014-2225.html
Exploit, Mailing List, Third Party Advisory x_refsource_misc
http://seclists.org/fulldisclosure/2014/Jul/126

Scores

CVSS v3 8.8
EPSS 0.0128
EPSS Percentile 66.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (3)
ui/airvision_controller < 2.1.3
ui/mfi_controller < 2.0.15
ui/unifi_controller < 3.2.1
Published Feb 08, 2020
Tracked Since Feb 18, 2026