CVE-2025-24290 Overview
CVE-2025-24290 describes multiple authenticated SQL injection vulnerabilities [CWE-89] in the Ubiquiti UISP Application version 2.4.206 and earlier. An authenticated attacker with low privileges can inject crafted SQL statements through vulnerable application inputs. Successful exploitation allows the attacker to escalate privileges within the UISP environment.
The Ubiquiti Internet Service Provider (UISP) platform is widely used by network operators to manage Ubiquiti deployments. Privilege escalation in this context can expose managed network infrastructure to follow-on compromise.
Critical Impact
Authenticated low-privilege users can exploit SQL injection flaws to escalate privileges, with the scope extending beyond the vulnerable component to affect confidentiality, integrity, and availability of managed resources.
Affected Products
- Ubiquiti UISP Application version 2.4.206
- Ubiquiti UISP Application versions earlier than 2.4.206
- Deployments managing Ubiquiti ISP network infrastructure through UISP
Discovery Timeline
- 2025-06-29 - CVE-2025-24290 published to the National Vulnerability Database
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-24290
Vulnerability Analysis
The vulnerability is classified as SQL injection [CWE-89] affecting multiple endpoints within the UISP Application. An attacker authenticated with low-privilege credentials can submit input that is concatenated into database queries without proper parameterization or sanitization. The injected SQL alters query logic and returns or modifies records the user should not access.
The Scope: Changed characteristic of this issue is significant. Successful exploitation crosses the authorization boundary of the vulnerable component and impacts resources managed by a different security authority. In practice, this allows a low-privileged UISP user to obtain administrator-level control over the application.
Follow-on impact extends to the managed network. UISP administrators can configure routers, switches, and wireless devices, so privilege escalation in UISP translates directly into control over downstream networking equipment.
Root Cause
The root cause is improper neutralization of special elements used in SQL commands. Vulnerable code paths build database queries through string concatenation with user-supplied parameters rather than using parameterized statements or prepared queries. Input validation does not reject SQL metacharacters before query construction.
Attack Vector
The attack vector is network-based and requires valid low-privileged credentials to the UISP Application. No user interaction is required. The attacker submits HTTP requests containing malicious SQL fragments to authenticated endpoints. The injected payload manipulates backend queries to read sensitive data, modify role assignments, or invoke database functionality enabling privilege escalation.
No public proof-of-concept exploit has been published. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The EPSS probability is 0.141% at the 33.871 percentile, indicating low predicted near-term exploitation activity.
Refer to the UI Community Security Advisory for vendor-supplied technical context.
Detection Methods for CVE-2025-24290
Indicators of Compromise
- Unexpected role or permission changes for UISP user accounts, particularly elevations from low-privileged tiers to administrative tiers.
- Database error messages or anomalous query patterns in UISP application logs referencing SQL syntax errors during authenticated sessions.
- Authentication events from low-privileged accounts immediately followed by administrative configuration changes.
- Outbound connections or device configuration pushes initiated by accounts not previously associated with such activity.
Detection Strategies
- Audit UISP application logs for SQL syntax artifacts in request parameters, including UNION, SELECT, --, and encoded variants on authenticated endpoints.
- Monitor the UISP database for unauthorized writes to user, role, and permission tables, correlating with the originating session identifier.
- Compare current UISP version against the patched release and flag any instance at version 2.4.206 or earlier as exposed.
Monitoring Recommendations
- Enable verbose application and web server logging on the UISP host and forward events to a centralized log platform for retention and analysis.
- Alert on any privilege change events combined with recent authentication from non-administrative source accounts.
- Review database query telemetry for queries that deviate from the application's expected query fingerprints.
How to Mitigate CVE-2025-24290
Immediate Actions Required
- Upgrade the UISP Application to a release later than 2.4.206 as published in the vendor advisory.
- Restrict network access to the UISP management interface to trusted administrator networks and VPN endpoints.
- Rotate credentials for all UISP user accounts, prioritizing administrative accounts, after applying the patch.
- Review audit logs for evidence of unauthorized privilege escalation prior to remediation.
Patch Information
Ubiquiti has released a fixed version addressing the SQL injection issues. Operators must update the UISP Application to the version specified in the UI Community Security Advisory. Self-hosted deployments require manual upgrade; managed deployments should confirm patch status with the hosting provider.
Workarounds
- Limit UISP account creation to trusted operators and remove unused low-privilege accounts that increase the attack surface.
- Place the UISP Application behind a web application firewall configured to block SQL injection signatures on authenticated endpoints.
- Enforce network segmentation between the UISP management plane and general-purpose user networks until the patch is applied.
# Verify installed UISP version on a self-hosted deployment
sudo docker exec -it unms sh -c 'cat /home/app/unms/package.json | grep version'
# Restrict access to the UISP web interface (example using iptables)
sudo iptables -A INPUT -p tcp --dport 443 -s <trusted_admin_subnet> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
