Protecting your home and business with surveillance cameras is a common practice, but the vulnerability of these systems to remote hacks raises serious concerns. Recently, Ubiquiti Networks issued an urgent security advisory regarding several critical vulnerabilities in its UniFi Protect camera ecosystem. These issues, including remote code execution (RCE), have exposed significant weaknesses that could allow hackers to gain unauthorized access and control over camera systems. With the threats discovered by Trend Micro’s Zero Day Initiative (ZDI) during the 2025 Pwn2Own Toronto hacking competition, it is crucial to understand the impact and steps needed to safeguard these devices.
Critical Vulnerabilities
The primary vulnerabilities identified within the UniFi Protect system encompass both firmware and the management application. Two of the most severe vulnerabilities could enable complete device takeover through unauthorized network-adjacent attacks. Specifically, CVE-2025-23115 and CVE-2025-23116 pose grave threats due to their high severity scores. CVE-2025-23115 is a memory corruption issue existing in firmware versions ≤4.74.88, which allows attackers to execute arbitrary code via specially crafted network packets. This flaw arises from improper handling of RTSP stream metadata buffers leading to retained invalidated pointers after memory reallocation. When exploited successfully, attackers can achieve root-level command execution on the camera’s Linux-based system.
Meanwhile, CVE-2025-23116 is associated with an authentication bypass vulnerability through the Auto-Adopt Bridge feature, found in UniFi Protect Application versions ≤5.2.46. Attackers exploiting this can forge adoption requests using default device certificates due to the protect-adoptd service failing to validate TLS client certificates during the device provisioning sequence. These two vulnerabilities significantly elevate risks by granting attackers unauthorized command execution and bridging into protected networks.
Medium-Severity Vulnerabilities
Aside from the high-severity issues, there are other notable vulnerabilities adding to the threat landscape. CVE-2025-23117 involves a firmware validation bypass caused by the use of a static AES-128-CBC key during the firmware update process. The firmware validation flaw—fixed in version 4.74.106—previously permitted attackers to sideload modified firmware images. The introduction of per-device key derivation using HKDF-SHA256 is a countermeasure to this vulnerability.
Similarly, CVE-2025-23118 identifies a flaw in certificate validation within the UniFi Protect web interface, using the nginx web server. Improper validation of Let’s Encrypt certificates allowed Man-in-the-Middle (MITM) attacks. The fix, incorporating certificate transparency logs and OCSP stapling, aims to fortify against such interception attempts. Another medium-severity vulnerability, CVE-2025-23119, highlights how the camera’s syslog service improperly sanitized ANSI escape sequences in log messages, leading to potential terminal emulator escape attacks. A regex filter implementation has been applied to mitigate this issue.
Mitigation and Recommendations
The discovery of these vulnerabilities impacting over 1.2 million deployed UniFi Protect devices signifies the urgency of implementing robust security measures. Ubiquiti has provided specific recommendations for instant mitigation, which include updating camera firmware to version 4.74.106 or higher and upgrading the UniFi Protect Application to version 5.2.49 or beyond. Disabling the Auto-Adopt Bridge feature, if it is not being used, and incorporating network segmentation for camera VLANs can also help minimize exposure.
Security teams should vigilantly monitor indicators of compromise (IoCs) such as unusual outbound connections on TCP/443 to unknown autonomous systems, the spawning of the ubntstreamd process to /bin/sh, and any modification of /etc/passwd indicating the addition of new UID 0 accounts. These steps collectively reduce the risk of potential exploitation and enhance overall cybersecurity posture.
Future Considerations
The identified vulnerabilities pose severe risks, as they can be exploited by attackers to infiltrate and manipulate the surveillance systems. Consequently, understanding the impact and taking appropriate measures to protect these devices is essential. Regularly updating firmware, implementing strong passwords, and using network security protocols can help mitigate some of these threats. With the growing reliance on surveillance technology, ensuring its security is crucial for safeguarding both personal and business interests.