Critical vulnerability reported in Ubiquiti's UniFi Protect surveillance system
Take action: Update your UniFi Protect Camera firmware to version 4.75.62 or later and your UniFi Protect Application to version 5.3.45 or newer as soon as possible. First priority are the cameras, as they have a perfect 10 CVSS score vulnerability. Since camera updates may cause problems, update in phases. In the meantime, segment your surveillance networks from critical infrastructure, isolate them in separate network, restrict access to camera management interfaces, and temporarily disable the "Share Livestream" feature until updates can be applied.
Learn More
Security researchers are reporting two security vulnerabilities in Ubiquiti's UniFi Protect surveillance ecosystem that affect the UniFi Protect Cameras firmware and the UniFi Protect Application, potentially exposing enterprise and home surveillance systems to malicious exploitation.
Vulnerabilities summary
- CVE-2025-23123 (CVSS score 10.0 Critical): A heap buffer overflow vulnerability in UniFi Protect Cameras firmware (version 4.75.43 and earlier) that allows attackers with access to the management network to trigger remote code execution, potentially granting full complete control over affected cameras.
- CVE-2025-23164 (CVSS score 4.4 Medium): A vulnerability in the UniFi Protect Application (version 5.3.41 and earlier) related to the "Share Livestream" feature. Due to a misconfigured token revocation mechanism, recipients of disabled livestream links can retain access indefinitely, creating persistent privacy risks. While less severe than the RCE vulnerability, this flaw could still allow unauthorized parties to monitor video feeds covertly.
Unpatched cameras in corporate or critical infrastructure environments could serve as entry points for ransomware attacks or espionage operations.
The exploitation of the second flaw requires access to a legitimate livestream link initially, and the flaw allows unauthorized monitoring of video feeds even after access should have been revoked.
Ubiquiti has released patches to address both vulnerabilities:
- For UniFi Protect Cameras: Update to firmware version 4.75.62 or later to address CVE-2025-23123
- For UniFi Protect Application: Update to version 5.3.45 or newer to resolve CVE-2025-23164
Community feedback suggests that upgrading to the fixed versions may introduce some operational issues. Users have reported post-update problems including camera access issues for limited-permission users, livestream resolution drops, and reconnection failures requiring physical resets.
Organizations that cannot immediately apply updates should segment surveillance networks from critical infrastructure, restrict access to camera management interfaces, consider temporarily disabling the "Share Livestream" feature.
