CVE-2025-52665

CRITICAL EXPLOITED NUCLEI

UniFi Access 3.3.22-3.4.31 - Unauthenticated Management API Exposure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2025-52665 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

A malicious actor with access to the management network could exploit a misconfiguration in UniFi’s door access application, UniFi Access, that exposed a management API without proper authentication. This vulnerability was introduced in Version 3.3.22 and was fixed in Version 4.0.21 and later.  Affected Products: UniFi Access Application (Version 3.3.22 through 3.4.31). 
 Mitigation: Update your UniFi Access Application to Version 4.0.21 or later.

Nuclei Templates (1)

UniFi Access - Broken Access Control
CRITICALby theamanrawat,DhiyaneshDK
Shodan: http.html:"UniFi OS"
FOFA: body="UniFi OS"

References (1)

Core 1

Scores

CVSS v3 10.0
EPSS 0.2660
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-01-16
CWE
CWE-306
Status published
Products (1)
ui/unifi_access 3.3.22 - 4.0.21
Published Oct 31, 2025
Tracked Since Feb 18, 2026