CVE-2025-23123 (CVSS 10): Critical UniFi Protect Cameras Flaw Demands Immediate Updates

Ubiquiti has released a critical security advisory addressing two vulnerabilities in its UniFi Protect ecosystem, including a CVSS 10.0-rated remote code execution (RCE) vulnerability that could be exploited by attackers with access to the management network. These flaws threaten the integrity of both UniFi Protect Cameras and the UniFi Protect Application, widely deployed in enterprise and home surveillance setups.

The most severe of the two flaws, CVE-2025-23123, is a heap buffer overflow vulnerability in UniFi Protect Camera firmware versions 4.75.43 and earlier. According to Ubiquiti’s advisory: “A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras.”

This vulnerability allows threat actors to gain arbitrary code execution, potentially enabling full compromise of the camera system, eavesdropping, unauthorized surveillance manipulation, or pivoting into other parts of a secured network.

Ubiquiti urges all users to immediately update their camera firmware to Version 4.75.62 or later to neutralize the threat.

The second vulnerability, CVE-2025-23164 (CVSS 4.4), affects the UniFi Protect Application (Version 5.3.41 and earlier). It stems from a misconfigured access token mechanism that could allow unauthorized continued access to a video feed even after the original access link has been revoked.

“A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a ‘Share Livestream’ link to maintain access to the corresponding livestream subsequent to such link becoming disabled,” Ubiquiti explains.

Administrators should upgrade to Version 5.3.45 or later of the UniFi Protect Application to correct the token lifecycle behavior.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply