Exploitation Summary
EIP tracks 1 public exploit for CVE-2014-2225. PoCs published by Seth Art.
AI-analyzed exploit summary This is a proof-of-concept for CVE-2014-2225, demonstrating a Cross-Site Request Forgery (CSRF) vulnerability in Ubiquiti UniFi, mFi, and AirVision controllers. The exploit uses JavaScript to send unauthorized POST requests to add an admin user without the victim's knowledge.
Description
Multiple cross-site request forgery (CSRF) vulnerabilities in Ubiquiti Networks UniFi Controller before 3.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) create a new admin user via a request to api/add/admin; (2) have unspecified impact via a request to api/add/wlanconf; change the guest (3) password, (4) authentication method, or (5) restricted subnets via a request to api/set/setting/guest_access; (6) block, (7) unblock, or (8) reconnect users by MAC address via a request to api/cmd/stamgr; change the syslog (9) server or (10) port via a request to api/set/setting/rsyslogd; (11) have unspecified impact via a request to api/set/setting/smtp; change the syslog (12) server, (13) port, or (14) authentication settings via a request to api/cmd/cfgmgr; or (15) change the Unifi Controller name via a request to api/set/setting/identity.
Exploits (1)
This is a proof-of-concept for CVE-2014-2225, demonstrating a Cross-Site Request Forgery (CSRF) vulnerability in Ubiquiti UniFi, mFi, and AirVision controllers. The exploit uses JavaScript to send unauthorized POST requests to add an admin user without the victim's knowledge.
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H