Severity by source
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
10DescriptionCVE.org
Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 uses AES-CBC encryption for device-to-controller communication, which contains cryptographic weaknesses that allow attackers to recover encryption keys from captured traffic. Attackers with adjacent network access can capture sufficient encrypted traffic and exploit AES-CBC mode vulnerabilities to derive the encryption keys, enabling unauthorized control and management of network devices.
AnalysisAI
Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.
Technical ContextAI
The vulnerability stems from Ubiquiti's use of AES-CBC (Cipher Block Chaining) mode for encrypting management traffic between UniFi devices and their controller. AES-CBC is vulnerable to several cryptanalytic attacks when implemented without proper authentication mechanisms, particularly padding oracle attacks and chosen-ciphertext attacks. The CWE-327 classification (Use of Broken or Risky Cryptographic Algorithm) reflects that while AES itself remains strong, CBC mode without authenticated encryption (like GCM or authenticated modes) creates exploitable weaknesses. UniFi's device ecosystem includes the Network Controller management platform, UAP wireless access points (including AC variants), USW managed switches, and USG security gateways. All these components communicate encrypted configuration and management data using the vulnerable AES-CBC implementation. The CPE strings confirm impact across the entire UniFi product line: cpe:2.3:a:ubiquiti:unifi_network_controller, cpe:2.3:a:ubiquiti:unifi_uap_firmware, cpe:2.3:a:ubiquiti:unifi_uap-ac_firmware, cpe:2.3:a:ubiquiti:unifi_usw_firmware, and cpe:2.3:a:ubiquiti:unifi_usg_firmware. Modern cryptographic practice recommends authenticated encryption modes (AEAD) like AES-GCM or ChaCha20-Poly1305 that provide both confidentiality and integrity protection, preventing the cryptanalytic attacks possible against unauthenticated CBC mode.
RemediationAI
Vendor-released patches are available for all affected components. Upgrade UniFi Network Controller to version 5.10.12 or later (version 5.6.42 also contains the fix for users on the 5.6.x branch). Update UAP access point firmware to version 4.0.6 or later. Upgrade UAP-AC, UAP-AC v2, and UAP-AC Outdoor firmware to version 3.8.17 or later. Update UniFi Switch (USW) firmware to version 4.0.6 or later. Upgrade UniFi Security Gateway (USG) firmware to version 4.4.34 or later. Apply patches systematically starting with the controller, then devices, following normal Ubiquiti upgrade procedures through the UniFi management interface. Consult Security Advisory Bulletin 004 at https://community.ui.com/releases/Security-Advisory-Bulletin-004-004/462e561b-9efd-4c23-bfa7-53d59cc64ecb for detailed upgrade instructions. As compensating controls where immediate patching is not feasible, isolate UniFi management traffic to dedicated VLANs with strict access controls, implement 802.1X network access control to prevent unauthorized adjacent network access, monitor for unusual traffic patterns on management interfaces, and restrict physical access to network segments carrying device-to-controller communications. These controls reduce adjacent network access opportunities but do not eliminate the cryptographic vulnerability - patching remains the definitive solution.
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow
A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac
A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi
Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra
Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2019-20041