CVE-2019-25652 Overview
CVE-2019-25652 is an improper certificate verification vulnerability [CWE-295] affecting UniFi Network Controller before version 5.10.22 and the 5.11.x branch before 5.11.18. The controller fails to perform secure SSL host verification when establishing SMTP connections. An adjacent network attacker can present a forged SSL certificate during the SMTP handshake and intercept traffic. This man-in-the-middle (MITM) position exposes SMTP credentials configured in the controller for outbound email notifications. The flaw enables credential theft without requiring authentication or user interaction on the controller side.
Critical Impact
Adjacent network attackers can intercept SMTP traffic and harvest plaintext credentials from UniFi Network Controllers through forged SSL certificates.
Affected Products
- UniFi Network Controller versions prior to 5.10.22
- UniFi Network Controller 5.11.x versions prior to 5.11.18
- Deployments configured with SMTP for email notifications or alerts
Discovery Timeline
- 2026-03-27 - CVE-2019-25652 published to the National Vulnerability Database (NVD)
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2019-25652
Vulnerability Analysis
The UniFi Network Controller integrates SMTP functionality to deliver administrative email notifications, alerts, and reports. When the controller initiates a TLS-protected SMTP session, it does not properly validate the certificate presented by the SMTP server. The verification routine omits host name checking and accepts certificates that are not trusted for the requested host.
This flaw breaks the trust model that TLS depends on. Any party that can position itself between the controller and the configured SMTP server can present its own certificate and complete the handshake. Once the encrypted channel terminates at the attacker, the SMTP AUTH LOGIN or AUTH PLAIN exchange exposes the stored credentials in base64-encoded form, which is trivially decoded.
Root Cause
The root cause is improper certificate validation [CWE-295] in the SMTP client logic. The code path responsible for opening a secure SMTP connection does not enforce hostname verification against the certificate's Subject Alternative Name (SAN) or Common Name (CN). It also does not validate the certificate chain against a trusted certificate authority store. As a result, self-signed or attacker-controlled certificates are silently accepted.
Attack Vector
Exploitation requires adjacent network access — a position on the same broadcast domain, VLAN, or transit network between the controller and its SMTP relay. An attacker uses ARP spoofing, DHCP manipulation, or rogue routing to redirect SMTP traffic. The attacker then terminates the TLS handshake using a forged certificate. The controller proceeds with authentication, allowing the attacker to capture the SMTP username and password configured by the administrator. These credentials often correspond to corporate mail accounts and can support lateral movement or further phishing.
No verified public exploit code is associated with this CVE. Refer to the VulnCheck Advisory on UniFi for additional technical context.
Detection Methods for CVE-2019-25652
Indicators of Compromise
- Unexpected ARP table changes on the network segment hosting the UniFi Network Controller
- SMTP connections from the controller terminating at hosts other than the configured mail relay
- TLS certificates presented to the controller that are self-signed or issued by an untrusted CA
- Authentication failures or anomalous login activity on the SMTP account configured in the controller
Detection Strategies
- Monitor outbound SMTP traffic from the controller and verify the destination IP matches the legitimate mail relay
- Inspect TLS handshakes to the SMTP server and alert on certificate fingerprint changes
- Correlate Layer 2 anomalies such as ARP poisoning with SMTP session anomalies
- Review controller version strings during routine asset inventory to identify unpatched deployments
Monitoring Recommendations
- Enable network flow logging for the management VLAN that hosts UniFi controllers
- Forward switch and firewall logs to a central data lake for retroactive correlation
- Track configuration changes to the SMTP settings field within the UniFi controller
- Alert on SMTP authentication events from the controller account originating from unexpected source IPs
How to Mitigate CVE-2019-25652
Immediate Actions Required
- Upgrade UniFi Network Controller to version 5.10.22, 5.11.18, or later as published in the vendor advisory
- Rotate any SMTP credentials previously configured in vulnerable controller versions
- Restrict the management network segment to limit adjacent network exposure
- Audit recent SMTP traffic from the controller for connections to unauthorized hosts
Patch Information
Ubiquiti addressed the vulnerability in UniFi Network Controller 5.10.22 and 5.11.18. Administrators should review the UI Community Security Bulletin for vendor guidance and apply the fixed release. The patch enforces proper hostname verification and certificate chain validation for SMTP TLS sessions.
Workarounds
- Disable the SMTP notification feature within the controller until the patch is applied
- Configure the controller to use an SMTP relay reachable only through a dedicated, isolated VLAN
- Use a local SMTP relay on the same host as the controller to remove the network path attackers can intercept
- Enforce strict Layer 2 controls such as dynamic ARP inspection and DHCP snooping on the management segment
# Verify installed UniFi Network Controller version on Linux deployments
dpkg -l | grep unifi
# Upgrade to a patched release (Debian/Ubuntu example)
sudo apt-get update
sudo apt-get install --only-upgrade unifi
# Confirm the running version meets the fixed baseline (>= 5.10.22 or >= 5.11.18)
mca-cli-op info | grep -i version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
