Skip to main content

Ubiquiti UniFi Network CVE-2019-25651

| EUVDEUVD-2019-20041 CRITICAL
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
2026-03-27 VulnCheck
9.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.0 CRITICAL
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

10
Analysis Updated
Apr 29, 2026 - 01:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:11 vuln.today
cvss_changed
Severity Changed
Apr 29, 2026 - 01:11 NVD
HIGH CRITICAL
CVSS changed
Apr 29, 2026 - 01:11 NVD
8.7 (HIGH) 9.0 (CRITICAL)
Analysis Updated
Apr 16, 2026 - 06:12 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
3.8.17,4.0.6,5.10.12
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2019-20041
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
CVE Published
Mar 27, 2026 - 21:16 nvd
HIGH 8.7

DescriptionCVE.org

Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 uses AES-CBC encryption for device-to-controller communication, which contains cryptographic weaknesses that allow attackers to recover encryption keys from captured traffic. Attackers with adjacent network access can capture sufficient encrypted traffic and exploit AES-CBC mode vulnerabilities to derive the encryption keys, enabling unauthorized control and management of network devices.

AnalysisAI

Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.

Technical ContextAI

The vulnerability stems from Ubiquiti's use of AES-CBC (Cipher Block Chaining) mode for encrypting management traffic between UniFi devices and their controller. AES-CBC is vulnerable to several cryptanalytic attacks when implemented without proper authentication mechanisms, particularly padding oracle attacks and chosen-ciphertext attacks. The CWE-327 classification (Use of Broken or Risky Cryptographic Algorithm) reflects that while AES itself remains strong, CBC mode without authenticated encryption (like GCM or authenticated modes) creates exploitable weaknesses. UniFi's device ecosystem includes the Network Controller management platform, UAP wireless access points (including AC variants), USW managed switches, and USG security gateways. All these components communicate encrypted configuration and management data using the vulnerable AES-CBC implementation. The CPE strings confirm impact across the entire UniFi product line: cpe:2.3:a:ubiquiti:unifi_network_controller, cpe:2.3:a:ubiquiti:unifi_uap_firmware, cpe:2.3:a:ubiquiti:unifi_uap-ac_firmware, cpe:2.3:a:ubiquiti:unifi_usw_firmware, and cpe:2.3:a:ubiquiti:unifi_usg_firmware. Modern cryptographic practice recommends authenticated encryption modes (AEAD) like AES-GCM or ChaCha20-Poly1305 that provide both confidentiality and integrity protection, preventing the cryptanalytic attacks possible against unauthenticated CBC mode.

RemediationAI

Vendor-released patches are available for all affected components. Upgrade UniFi Network Controller to version 5.10.12 or later (version 5.6.42 also contains the fix for users on the 5.6.x branch). Update UAP access point firmware to version 4.0.6 or later. Upgrade UAP-AC, UAP-AC v2, and UAP-AC Outdoor firmware to version 3.8.17 or later. Update UniFi Switch (USW) firmware to version 4.0.6 or later. Upgrade UniFi Security Gateway (USG) firmware to version 4.4.34 or later. Apply patches systematically starting with the controller, then devices, following normal Ubiquiti upgrade procedures through the UniFi management interface. Consult Security Advisory Bulletin 004 at https://community.ui.com/releases/Security-Advisory-Bulletin-004-004/462e561b-9efd-4c23-bfa7-53d59cc64ecb for detailed upgrade instructions. As compensating controls where immediate patching is not feasible, isolate UniFi management traffic to dedicated VLANs with strict access controls, implement 802.1X network access control to prevent unauthorized adjacent network access, monitor for unusual traffic patterns on management interfaces, and restrict physical access to network segments carrying device-to-controller communications. These controls reduce adjacent network access opportunities but do not eliminate the cryptographic vulnerability - patching remains the definitive solution.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2013-1606 HIGH POC
7.5 Jul 18

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow

CVE-2026-22557 CRITICAL POC
10.0 Mar 19

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac

CVE-2023-1458 CRITICAL POC
9.8 Mar 25

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi

CVE-2023-24104 CRITICAL POC
9.8 Feb 23

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra

CVE-2016-7792 HIGH POC
8.8 Jan 23

Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data

CVE-2023-23912 HIGH POC
8.8 Feb 09

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5

CVE-2023-2375 HIGH POC
7.3 Apr 28

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne

CVE-2023-2374 HIGH POC
7.3 Apr 28

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this

CVE-2023-2378 HIGH POC
7.3 Apr 28

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability

Share

CVE-2019-25651 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy