CVE-2024-22054 Overview
CVE-2024-22054 is a denial of service vulnerability affecting multiple Ubiquiti UniFi product lines. A malformed discovery packet sent by an attacker with preexisting network access can interrupt the functionality of device management and discovery services. The vulnerability stems from improper input validation [CWE-20] in the discovery protocol handler. Ubiquiti released firmware updates for UniFi Access Points, UniFi Switches, UniFi LTE Backup, and UniFi Express (Mesh Mode) to address the issue.
Critical Impact
An attacker with network access can disrupt device management and discovery functions across UniFi infrastructure by transmitting a single crafted packet.
Affected Products
- UniFi Access Points (versions prior to 6.6.55)
- UniFi Switches (versions prior to 6.6.61)
- UniFi LTE Backup (versions prior to 6.6.57) and UniFi Express in Mesh Mode (versions prior to 3.2.5)
Discovery Timeline
- 2024-02-20 - CVE-2024-22054 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-22054
Vulnerability Analysis
The vulnerability resides in the device discovery protocol used by UniFi network equipment. UniFi devices broadcast and respond to discovery packets to enable centralized management through the UniFi controller. When a device receives a malformed discovery packet, the parser fails to properly validate the input, causing an interruption in device management and discovery functionality.
The attack does not require authentication or user interaction. However, the attacker must already have access to the local network segment where UniFi devices operate. The result is a loss of availability affecting administrative control planes rather than data confidentiality or integrity.
This class of issue is categorized as Improper Input Validation [CWE-20]. The discovery service accepts attacker-controlled bytes without sufficient bounds or format checks before processing.
Root Cause
The root cause is missing or insufficient validation of incoming discovery protocol packets. UniFi firmware versions prior to the patched releases fail to reject malformed packet structures, allowing a single crafted message to disrupt the discovery daemon and associated management functions.
Attack Vector
Exploitation requires network adjacency to the targeted UniFi devices. An attacker on the same broadcast domain transmits a malformed discovery packet to the device. The targeted device fails to process the input correctly, resulting in interruption of device management and discovery services. The current EPSS score is 0.069% with a 21st percentile ranking, indicating low observed exploitation activity in the wild.
No public proof-of-concept code is available for this vulnerability. Refer to the Ubiquiti Security Advisory Bulletin for vendor-published technical details.
Detection Methods for CVE-2024-22054
Indicators of Compromise
- Unexpected loss of communication between UniFi devices and the UniFi controller
- UniFi devices disappearing from the controller's device inventory or showing as disconnected
- Restart or crash events in device management daemons logged on UniFi hardware
Detection Strategies
- Monitor UniFi controller logs for repeated device disconnection or adoption failure events
- Inspect network traffic on UDP discovery ports (default 10001) for malformed or oversized packets
- Correlate discovery service crashes with inbound packets from unauthorized hosts on the management VLAN
Monitoring Recommendations
- Enable syslog forwarding from UniFi devices to a centralized log management or SIEM platform
- Alert on sustained or repeated discovery daemon restarts across multiple devices
- Track baseline volumes of discovery traffic and flag anomalous spikes from single sources
How to Mitigate CVE-2024-22054
Immediate Actions Required
- Inventory all UniFi Access Points, Switches, LTE Backup units, and UniFi Express devices in the environment
- Apply the vendor-supplied firmware updates listed in the patch information section below
- Restrict access to the management VLAN and discovery ports to authorized administrators only
Patch Information
Ubiquiti has released fixed firmware versions. Update UniFi Access Points to version 6.6.55 or later. Update UniFi Switches to version 6.6.61 or later. Update UniFi LTE Backup to version 6.6.57 or later. Update UniFi Express to version 3.2.5 or later. Full details are available in the Ubiquiti Security Advisory Bulletin 037.
Workarounds
- Segment UniFi management traffic onto a dedicated VLAN inaccessible to general users and untrusted endpoints
- Apply network access control lists to block discovery protocol traffic from unauthorized sources
- Disable Layer 2 discovery on segments where centralized adoption is not required, where supported by device configuration
# Example: restrict UniFi discovery port access at the network edge
# Block UDP 10001 from untrusted subnets toward the management VLAN
iptables -A FORWARD -p udp --dport 10001 -s 0.0.0.0/0 -d <management_vlan_cidr> -j DROP
iptables -A FORWARD -p udp --dport 10001 -s <trusted_admin_subnet> -d <management_vlan_cidr> -j ACCEPT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
