Skip to main content

CVE-2025-24292: Vulnerability in Ubiquiti Inc UniFi Network Application

Medium
VulnerabilityCVE-2025-24292cvecve-2025-24292
Published: Sun Jun 29 2025 (06/29/2025, 19:25:08 UTC)
Source: CVE Database V5
Vendor/Project: Ubiquiti Inc
Product: UniFi Network Application

Description

A misconfigured query in UniFi Network (v9.1.120 and earlier) could allow users to authenticate to Enterprise WiFi or VPN Server (l2tp and OpenVPN) using a device’s MAC address from 802.1X or MAC Authentication, if both services are enabled and share the same RADIUS profile.

AI-Powered Analysis

AILast updated: 06/29/2025, 19:54:50 UTC

Technical Analysis

CVE-2025-24292 is a vulnerability identified in the Ubiquiti Inc UniFi Network Application, specifically affecting versions 9.2.87 and earlier. The issue arises from a misconfigured query within the application that manages authentication for Enterprise WiFi and VPN services (L2TP and OpenVPN). When both 802.1X or MAC Authentication and VPN services are enabled and share the same RADIUS profile, an attacker can exploit this misconfiguration to authenticate to these services using only a device's MAC address. This bypasses normal authentication mechanisms, potentially allowing unauthorized access to the network. The vulnerability has a CVSS v3.0 base score of 6.8, categorized as medium severity. The vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with high confidentiality impact (C:H), but no impact on integrity or availability (I:N/A:N). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability could allow attackers to impersonate devices by spoofing MAC addresses, gaining unauthorized access to enterprise WiFi or VPN services, which are critical for secure remote and internal communications.

Potential Impact

For European organizations, this vulnerability poses a significant risk to network security, particularly in sectors relying heavily on secure wireless and VPN access, such as finance, healthcare, government, and critical infrastructure. Unauthorized access via MAC address spoofing could lead to exposure of sensitive data, unauthorized lateral movement within networks, and potential breaches of compliance with GDPR and other data protection regulations. The confidentiality impact is high as attackers could access internal resources without proper authentication. Although integrity and availability are not directly affected, the unauthorized access could facilitate further attacks that compromise these aspects. The medium severity score reflects the high confidentiality risk balanced against the high attack complexity, meaning exploitation is not trivial but feasible for skilled attackers. Given the widespread use of Ubiquiti UniFi products in European enterprises and SMBs, this vulnerability could have broad implications if exploited.

Mitigation Recommendations

Organizations should immediately review their UniFi Network Application deployments to determine if they are running affected versions (9.2.87 or earlier) and whether both 802.1X/MAC Authentication and VPN services share the same RADIUS profile. As no official patches are currently linked, temporary mitigations include segregating RADIUS profiles for WiFi and VPN services to prevent cross-authentication via MAC addresses. Network administrators should enforce stronger authentication methods that do not rely solely on MAC addresses, such as certificate-based 802.1X authentication, and disable MAC Authentication where possible. Monitoring network logs for unusual authentication attempts or MAC address anomalies can help detect exploitation attempts. Additionally, restricting network access by implementing network segmentation and zero-trust principles can limit the impact of any unauthorized access. Organizations should stay alert for official patches or updates from Ubiquiti and apply them promptly once available.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
hackerone
Date Reserved
2025-01-17T01:00:07.458Z
Cvss Version
3.0
State
PUBLISHED

Threat ID: 6861967a6f40f0eb72851e9f

Added to database: 6/29/2025, 7:39:38 PM

Last enriched: 6/29/2025, 7:54:50 PM

Last updated: 7/13/2025, 11:12:17 PM

Views: 22

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats