CVE-2025-23116 Overview
CVE-2025-23116 is an Authentication Bypass vulnerability affecting the UniFi Protect Application when the Auto-Adopt Bridge Devices feature is enabled. This vulnerability allows a malicious actor with access to a network adjacent to UniFi Protect Cameras to completely take control of those cameras without proper authentication.
Critical Impact
Attackers on an adjacent network can bypass authentication and gain full control over UniFi Protect Cameras, potentially enabling unauthorized surveillance, video feed manipulation, or using compromised cameras as a pivot point for further network attacks.
Affected Products
- UniFi Protect Application (with Auto-Adopt Bridge Devices enabled)
- UniFi Protect Cameras (accessible from adjacent network)
Discovery Timeline
- 2025-03-01 - CVE-2025-23116 published to NVD
- 2025-03-04 - Last updated in NVD database
Technical Details for CVE-2025-23116
Vulnerability Analysis
This Authentication Bypass vulnerability (CWE-287) exists within the UniFi Protect Application's Auto-Adopt Bridge Devices functionality. When this feature is enabled, the application fails to properly validate authentication credentials for devices attempting to connect via an adjacent network. The vulnerability allows unauthenticated attackers to circumvent security controls and assume control of connected UniFi Protect Cameras.
The attack can be executed from an adjacent network position, meaning the attacker needs to be on a network segment that has Layer 2 connectivity to the target cameras. No user interaction is required for exploitation, and the vulnerability can affect resources beyond the initial security scope of the vulnerable component, potentially compromising the confidentiality, integrity, and availability of the camera systems.
Root Cause
The root cause of this vulnerability is improper authentication handling (CWE-287: Improper Authentication) within the Auto-Adopt Bridge Devices feature. When this functionality is enabled, the UniFi Protect Application fails to enforce proper authentication checks for device adoption requests originating from adjacent networks. This allows an attacker to impersonate legitimate devices or send crafted adoption requests that bypass the normal authentication workflow.
Attack Vector
The attack vector requires adjacent network access, meaning the attacker must be positioned on a network segment that can directly communicate with UniFi Protect Cameras at the data link layer. From this position, the attacker can exploit the authentication bypass without requiring any privileges or user interaction. The exploitation has a changed scope, meaning a successful attack can impact resources beyond the vulnerable component itself.
The attack mechanism involves exploiting the trust relationship established by the Auto-Adopt Bridge Devices feature, which is designed to simplify device onboarding but lacks sufficient authentication validation when processing adoption requests from adjacent network sources.
Detection Methods for CVE-2025-23116
Indicators of Compromise
- Unexpected device adoption events or camera registrations in UniFi Protect logs
- Unusual network traffic patterns between adjacent network segments and UniFi Protect Cameras
- Changes to camera configurations that were not authorized by administrators
- Anomalous authentication or connection attempts from unknown MAC addresses on camera network segments
Detection Strategies
- Monitor UniFi Protect Application logs for unauthorized device adoption requests
- Implement network traffic analysis to detect suspicious communication patterns with cameras from adjacent networks
- Configure alerts for any changes to camera configurations or firmware
- Deploy network segmentation monitoring to identify potential lateral movement attempts
Monitoring Recommendations
- Enable verbose logging on UniFi Protect Application and regularly review adoption events
- Implement network intrusion detection systems (NIDS) on segments containing UniFi Protect infrastructure
- Monitor for unusual DHCP or ARP traffic that may indicate adjacent network reconnaissance
- Establish baseline behavior for camera communications and alert on deviations
How to Mitigate CVE-2025-23116
Immediate Actions Required
- Disable the Auto-Adopt Bridge Devices feature if not operationally required
- Implement strict network segmentation to isolate UniFi Protect Cameras from untrusted adjacent networks
- Review and audit all currently adopted devices for unauthorized entries
- Apply the latest security patches from Ubiquiti as soon as available
Patch Information
Ubiquiti has released a security advisory addressing this vulnerability. Administrators should consult the UI Community Security Advisory for detailed patch information and update instructions. Apply all available security updates to the UniFi Protect Application immediately.
Workarounds
- Disable the Auto-Adopt Bridge Devices feature in UniFi Protect Application settings until patches are applied
- Implement VLAN segmentation to prevent adjacent network access to camera infrastructure
- Deploy firewall rules to restrict Layer 2 access to camera network segments
- Enable manual device adoption approval to prevent unauthorized cameras from being automatically adopted
# Network segmentation example - restrict camera VLAN access
# Consult your network equipment documentation for specific syntax
# Example: Configure firewall rules to isolate camera subnet
# Block all adjacent network access to camera management ports
# Allow only authorized management stations to access UniFi Protect
# Disable Auto-Adopt via UniFi Protect Application:
# Navigate to Settings > System > Auto-Adopt Bridge Devices
# Set feature to "Disabled"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
