CVE-2019-25652
HIGHUniFi Network Controller Improper Certificate Validation Leading to Credential Theft via MITM
Title source: cnaDescription
UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
https://community.ui.com/releases/Security-Advisory-Bulletin-003-003/982bbaa8-2a07-4f81-a5f6-0bb84753f391
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/unifi-network-controller-improper-certificate-validation-leading-to-credential-theft-via-mitm
Scores
CVSS v3
7.5
EPSS
0.0011
EPSS Percentile
1.6%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-295
Status
published
Products (5)
Ubiquiti/UniFi Network Controller
< 5.10.22
Ubiquiti/UniFi Network Controller
< 5.6.42
Ubiquiti/UniFi Network Controller
5.11 - 5.11.18
Ubiquiti/UniFi Network Controller
5.6.42
Ubiquiti/UniFi Network Controller
5.6.43 - 5.10.22
Published
Mar 27, 2026
Tracked Since
Mar 29, 2026