Ubiquiti Networks has disclosed and patched a critical security vulnerability in its UniFi Access application that could have allowed attackers to bypass authentication and gain unauthorized control over door access systems. If you’re running UniFi Access for physical security management, this is one update you don’t want to skip.
In the Security Advisory Bulletin 056, they revealed a serious misconfiguration in UniFi Access that left a management API exposed without proper authentication. The vulnerability, tracked as CVE-2025-52665, earned the maximum critical CVSS severity score of 10 out of 10.
Any malicious actor with access to the management network could exploit this flaw to manipulate door access controls without needing valid credentials. In plain terms, this could allow an attacker to unlock doors, grant themselves access permissions, or disrupt physical security operations entirely.
The vulnerability was discovered by Catchify Security researchers, and affects a specific range of UniFi Access versions released over the past several months.
Impacted is the UniFi Access Application versions 3.3.22 through 3.4.31. If you’re using UniFi Access to manage physical access control for your business, building, or facility, and haven’t updated recently, your system may be vulnerable. Verify your UniFi Access version and deploy the update.
The fix is straightforward: update your UniFi Access Application to version 4.0.21 or later. Ubiquiti released version 4.0.21 last month, which patches this vulnerability, and has since released version 4.0.31 with additional bugfixes.
Visit the security advisory bulletin, our their support center for updating information.
IoT and building automation systems require the same security vigilance as traditional IT infrastructure. Regular updates, network segmentation, and monitoring of management interfaces are essential practices. Keep your access control management interface on a separate, restricted network segment, enable logging and monitoring to track events, and imeplement a regular update schedule.
Leave a Reply