A critical vulnerability has been identified in Ubiquiti's UniFi Access application, which could allow an attacker to bypass physical security controls. An unauthenticated management API is exposed on the network, enabling a malicious actor with access to the management network to gain complete control over the door access system, potentially leading to unauthorized physical access to secure facilities. Due to the ease of exploitation and the severe potential impact, this vulnerability is rated as critical.

This vulnerability stems from a misconfiguration in the UniFi Access application where a key management API endpoint is exposed without requiring any authentication. An attacker who has gained access to the management network can send specially crafted requests directly to this API. By doing so, the attacker can perform high-privilege administrative actions, such as adding or deleting users, modifying access permissions, remotely unlocking doors, and disabling security alerts, effectively gaining full control over the physical access control system.

This vulnerability presents a critical severity risk to the organization, reflected by its CVSS score of 10. Successful exploitation could lead to a complete compromise of physical security. The primary business impact includes the potential for unauthorized physical access to sensitive areas such as data centers, executive offices, and research labs, which could result in data theft, corporate espionage, sabotage of critical infrastructure, or threats to employee safety. The breach of a physical access system can cause significant reputational damage, regulatory fines, and a loss of customer trust.

Immediate Action: Update the Ubiquiti UniFi Access application to the latest version provided by the vendor to patch the vulnerability. Following the update, it is essential to monitor for any signs of post-remediation exploitation attempts and conduct a thorough review of historical access logs to identify any unauthorized access or configuration changes that may have occurred prior to patching.

Proactive Monitoring: Implement monitoring on the UniFi Access system and network. Security teams should look for anomalous API requests to the UniFi Access management interface from unexpected IP addresses. Review door access logs for unusual patterns, such as doors being unlocked remotely at odd hours, the creation of new user credentials without proper authorization, or unexpected permission changes.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls:

• Enforce strict network segmentation to isolate the UniFi Access controllers and management interface from general corporate and guest networks.
• Implement firewall rules to restrict access to the UniFi Access management API port, allowing connections only from a limited set of trusted administrative workstations.
• Deploy an Intrusion Prevention System (IPS) with rules to detect and block malicious traffic targeting the exposed API endpoint.

Public Exploit Available: False

Given the CVSS score of 10, this vulnerability must be treated as a critical and urgent threat. We strongly recommend that all affected Ubiquiti UniFi Access installations be patched immediately. While this CVE is not currently listed on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above must be implemented without delay to reduce the attack surface. Additionally, this incident should prompt a review of network segmentation policies to ensure that critical management interfaces are properly isolated from broader network access.