Security researchers have uncovered a severe unauthenticated Remote Code Execution vulnerability in Ubiquiti’s UniFi OS that earned a substantial $25,000 bug bounty reward.
Tracked as CVE-2025-52665, this critical flaw allows attackers to gain complete control of UniFi devices without requiring any credentials or user interaction, posing significant risks to organizations using UniFi Dream Machine routers and access control systems.
Misconfigured API Exposes Critical Attack Surface
The vulnerability originated from a misconfigured backupAPI endpoint at /api/ucore/backup/export that was designed to operate only on the local loopback interface.
However, researchers discovered the endpoint was externally accessible through por…
Security researchers have uncovered a severe unauthenticated Remote Code Execution vulnerability in Ubiquiti’s UniFi OS that earned a substantial $25,000 bug bounty reward.
Tracked as CVE-2025-52665, this critical flaw allows attackers to gain complete control of UniFi devices without requiring any credentials or user interaction, posing significant risks to organizations using UniFi Dream Machine routers and access control systems.
Misconfigured API Exposes Critical Attack Surface
The vulnerability originated from a misconfigured backupAPI endpoint at /api/ucore/backup/export that was designed to operate only on the local loopback interface.
However, researchers discovered the endpoint was externally accessible through port 9780, bypassing intended security restrictions.
The flaw stems from improper input validation on the dir parameter, which the backup orchestration system passes directly to shell commands without sanitization or escaping.
When researchers analyzed the UniFi Core service code, they found that the backup operation chains multiple shell commands including mktemp, chmod, and tar that directly interpolate the user-supplied directory path.
This design pattern created a perfect opportunity for command injection attacks, as metacharacters in the input would be interpreted as new shell commands rather than literal path components.
Researchers successfully exploited the vulnerability by crafting a malicious JSON payload that terminated the intended command and injected arbitrary code.
command execution and data exfiltration
The attack required sending a POST request to the exposed endpoint with a specially formatted dir parameter containing command injection sequences.
Unauthenticated Creation Access For Users
By using semicolons to separate commands and hash symbols to comment out remaining shell syntax, attackers could execute arbitrary commands with full system privileges.
The researchers demonstrated the severity by exfiltrating the /etc/passwd file and establishing areverse shell connection, proving complete interactive access to the compromised device.
Beyond basic system access, the vulnerability provided direct entry into UniFi Access components, granting attackers control over physical door systems and NFC credential management infrastructure.
The investigation revealed multiple unauthenticated API endpoints beyond the primary RCE vulnerability.
Nfc Credentials
Researchers found that /api/v1/user_assets/nfc accepted POST requests to provision new credentials without authentication, while /api/v1/user_assets/touch_pass/keys exposed sensitive credential material including Apple NFC keys and Google Pass authentication data containing PEM-formatted private keys.
These additional exposures compound the security impact, allowing attackers to manipulate access control systems and steal cryptographic credentials that protect mobile and NFC-based authentication mechanisms.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.