CVE-2025-24292: Vulnerability in Ubiquiti Inc UniFi Network Application
A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device’s MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile.
AI Analysis
Technical Summary
CVE-2025-24292 is a vulnerability identified in the Ubiquiti Inc UniFi Network Application, specifically affecting versions 9.2.87 and earlier. The issue arises from a misconfigured query within the application that manages authentication for Enterprise WiFi and VPN services (L2TP and OpenVPN). When both 802.1X or MAC Authentication and VPN services are enabled and share the same RADIUS profile, an attacker can exploit this misconfiguration to authenticate to these services using only a device's MAC address. This bypasses normal authentication mechanisms, potentially allowing unauthorized access to the network. The vulnerability has a CVSS v3.0 base score of 6.8, categorized as medium severity. The vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with high confidentiality impact (C:H), but no impact on integrity or availability (I:N/A:N). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability could allow attackers to impersonate devices by spoofing MAC addresses, gaining unauthorized access to enterprise WiFi or VPN services, which are critical for secure remote and internal communications.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security, particularly in sectors relying heavily on secure wireless and VPN access, such as finance, healthcare, government, and critical infrastructure. Unauthorized access via MAC address spoofing could lead to exposure of sensitive data, unauthorized lateral movement within networks, and potential breaches of compliance with GDPR and other data protection regulations. The confidentiality impact is high as attackers could access internal resources without proper authentication. Although integrity and availability are not directly affected, the unauthorized access could facilitate further attacks that compromise these aspects. The medium severity score reflects the high confidentiality risk balanced against the high attack complexity, meaning exploitation is not trivial but feasible for skilled attackers. Given the widespread use of Ubiquiti UniFi products in European enterprises and SMBs, this vulnerability could have broad implications if exploited.
Mitigation Recommendations
Organizations should immediately review their UniFi Network Application deployments to determine if they are running affected versions (9.2.87 or earlier) and whether both 802.1X/MAC Authentication and VPN services share the same RADIUS profile. As no official patches are currently linked, temporary mitigations include segregating RADIUS profiles for WiFi and VPN services to prevent cross-authentication via MAC addresses. Network administrators should enforce stronger authentication methods that do not rely solely on MAC addresses, such as certificate-based 802.1X authentication, and disable MAC Authentication where possible. Monitoring network logs for unusual authentication attempts or MAC address anomalies can help detect exploitation attempts. Additionally, restricting network access by implementing network segmentation and zero-trust principles can limit the impact of any unauthorized access. Organizations should stay alert for official patches or updates from Ubiquiti and apply them promptly once available.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Poland, Belgium, Sweden, Switzerland
CVE-2025-24292: Vulnerability in Ubiquiti Inc UniFi Network Application
Description
A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device’s MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile.
AI-Powered Analysis
Technical Analysis
CVE-2025-24292 is a vulnerability identified in the Ubiquiti Inc UniFi Network Application, specifically affecting versions 9.2.87 and earlier. The issue arises from a misconfigured query within the application that manages authentication for Enterprise WiFi and VPN services (L2TP and OpenVPN). When both 802.1X or MAC Authentication and VPN services are enabled and share the same RADIUS profile, an attacker can exploit this misconfiguration to authenticate to these services using only a device's MAC address. This bypasses normal authentication mechanisms, potentially allowing unauthorized access to the network. The vulnerability has a CVSS v3.0 base score of 6.8, categorized as medium severity. The vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with high confidentiality impact (C:H), but no impact on integrity or availability (I:N/A:N). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability could allow attackers to impersonate devices by spoofing MAC addresses, gaining unauthorized access to enterprise WiFi or VPN services, which are critical for secure remote and internal communications.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network security, particularly in sectors relying heavily on secure wireless and VPN access, such as finance, healthcare, government, and critical infrastructure. Unauthorized access via MAC address spoofing could lead to exposure of sensitive data, unauthorized lateral movement within networks, and potential breaches of compliance with GDPR and other data protection regulations. The confidentiality impact is high as attackers could access internal resources without proper authentication. Although integrity and availability are not directly affected, the unauthorized access could facilitate further attacks that compromise these aspects. The medium severity score reflects the high confidentiality risk balanced against the high attack complexity, meaning exploitation is not trivial but feasible for skilled attackers. Given the widespread use of Ubiquiti UniFi products in European enterprises and SMBs, this vulnerability could have broad implications if exploited.
Mitigation Recommendations
Organizations should immediately review their UniFi Network Application deployments to determine if they are running affected versions (9.2.87 or earlier) and whether both 802.1X/MAC Authentication and VPN services share the same RADIUS profile. As no official patches are currently linked, temporary mitigations include segregating RADIUS profiles for WiFi and VPN services to prevent cross-authentication via MAC addresses. Network administrators should enforce stronger authentication methods that do not rely solely on MAC addresses, such as certificate-based 802.1X authentication, and disable MAC Authentication where possible. Monitoring network logs for unusual authentication attempts or MAC address anomalies can help detect exploitation attempts. Additionally, restricting network access by implementing network segmentation and zero-trust principles can limit the impact of any unauthorized access. Organizations should stay alert for official patches or updates from Ubiquiti and apply them promptly once available.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2025-01-17T01:00:07.458Z
- Cvss Version
- 3.0
- State
- PUBLISHED
Threat ID: 6861967a6f40f0eb72851e9f
Added to database: 6/29/2025, 7:39:38 PM
Last enriched: 6/29/2025, 7:54:50 PM
Last updated: 7/13/2025, 11:12:17 PM
Views: 22
Related Threats
CVE-2025-7626: Path Traversal in YiJiuSmile kkFileViewOfficeEdit
MediumCVE-2025-51660: n/a
HighCVE-2025-51659: n/a
HighCVE-2025-51658: n/a
HighCVE-2025-51657: n/a
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.