Critical authentication bypass flaw reported in Ubiquiti UniFi Access
Take action: If you're using Ubiquiti UniFi Access for door control, make sure it's isolated from untrusted networks and very difficult to reach. It can be hacked to let attackers unlock doors and control your entire physical security system. Plan a very quick update to version 4.0.21 or newer and review your access logs for any suspicious door unlocks or new credentials that shouldn't exist.
Learn More
Ubiquiti Networks is reporting a critical security flaw in its UniFi Access application, the company's door access control and physical security management solution.
The flaw is tracked as CVE-2025-52665 (CVSS score 10.0), exposes a management API without proper authentication, potentially allowing malicious actors to gain complete control over physical access systems protecting corporate facilities, data centers, and sensitive areas.
Ubiquiti's security advisory has a somewhat vague description of the vulnerability's implications, security experts suggest that attackers exploiting this vulnerability could potentially gain unauthorized physical access to facilities secured by UniFi Access systems, modify access permissions, create rogue credentials, disable security controls, or exfiltrate sensitive information about facility layouts, access patterns, and security configurations.
The vulnerability was introduced in UniFi Access version 3.3.22 and affects all versions through 3.4.31.
Ubiquiti strongly urges all customers running affected versions to immediately update to version 4.0.21 or newer to eliminate the security risk.
Organizations that can't immediately upgrade should isolate the UniFi Access management network from untrusted networks. All organizations using UniFi Access should do a reviews of their physical access control logs to identify any suspicious activity, unauthorized credential creation, or anomalous access patterns that might indicate exploitation.
