CVE-2019-25651 - Vulnerability Analysis

Overview

Ubiquiti UniFi Network Controller < 5.10.12 (excluding 5.6.42) and various UAP, USW, USG firmware versions use AES-CBC encryption with cryptographic weaknesses, letting attackers with adjacent network access recover encryption keys and control devices.

Severity & Score

Impact

Attackers with adjacent network access can recover encryption keys, enabling unauthorized control and management of network devices.

Mitigation

Update to UniFi Network Controller version 5.10.12 or later and firmware versions 4.0.6 (UAP), 3.8.17 (UAP-AC Outdoor), 4.0.6 (USW), 4.4.34 (USG) or later.

References

• https://community.ui.com/releases/Security-Advisory-Bulletin-004-004/462e561b-9efd-4c23-bfa7-53d59cc64ecb
• https://www.vulncheck.com/advisories/ubiquiti-unifi-devices-use-of-aes-cbc-allows-key-recovery-and-unauthorized-device-control

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner