CVE-2025-24292 Overview
A misconfigured query vulnerability exists in Ubiquiti UniFi Network (v9.1.120 and earlier) that could allow unauthorized users to authenticate to Enterprise WiFi or VPN Server (L2TP and OpenVPN) using a device's MAC address from 802.1X or MAC Authentication. This authentication bypass occurs when both services are enabled and share the same RADIUS profile, creating a security gap where MAC addresses can be used as valid authentication credentials.
Critical Impact
Attackers who obtain or spoof a valid device MAC address could gain unauthorized access to enterprise WiFi networks or VPN servers, potentially bypassing intended network access controls and gaining a foothold for further network intrusion.
Affected Products
- UniFi Network v9.1.120 and earlier
- UniFi Network deployments using shared RADIUS profiles for 802.1X and MAC Authentication
- Enterprise WiFi and VPN Server (L2TP and OpenVPN) configurations
Discovery Timeline
- 2025-06-29 - CVE CVE-2025-24292 published to NVD
- 2025-06-30 - Last updated in NVD database
Technical Details for CVE-2025-24292
Vulnerability Analysis
This vulnerability is classified as CWE-287 (Improper Authentication), which represents a fundamental flaw in how the system validates user identity. The core issue stems from a misconfigured query within the UniFi Network application that fails to properly segregate authentication methods when 802.1X and MAC Authentication services share a common RADIUS profile.
In properly configured environments, 802.1X authentication requires certificate-based or credential-based validation, while MAC Authentication should serve as a fallback or supplementary mechanism for devices that cannot support 802.1X. However, this vulnerability allows the authentication boundary between these methods to be crossed, enabling MAC addresses—which are easily spoofable—to serve as valid authentication tokens for services that should require stronger credentials.
The attack requires network-level access and depends on a specific configuration state where both authentication services utilize the same RADIUS profile, introducing complexity that somewhat limits widespread exploitation.
Root Cause
The root cause is a misconfigured query within the UniFi Network authentication handling logic. When RADIUS profiles are shared between 802.1X and MAC Authentication services, the system fails to properly validate the authentication source and method, allowing MAC addresses registered for one service to be accepted as valid credentials for another. This represents a failure in authentication context separation.
Attack Vector
The vulnerability is exploitable over the network without requiring user interaction or prior authentication. An attacker would need to:
- Identify a target UniFi Network deployment using shared RADIUS profiles
- Obtain a valid device MAC address (through network sniffing, reconnaissance, or social engineering)
- Spoof the MAC address or use it directly to authenticate to Enterprise WiFi or VPN services
- Gain network access that should have required stronger authentication credentials
The attack is constrained by the need for the target environment to have both services enabled with shared RADIUS profiles, which adds complexity to successful exploitation.
Detection Methods for CVE-2025-24292
Indicators of Compromise
- Unusual authentication events where MAC addresses are used to authenticate to VPN services (L2TP or OpenVPN)
- Multiple authentication attempts from the same MAC address across different network entry points
- Authentication logs showing successful access without corresponding 802.1X certificate validation
- Concurrent sessions from the same MAC address originating from different geographic locations or network segments
Detection Strategies
- Enable verbose RADIUS authentication logging to capture authentication method details
- Monitor for authentication events that use MAC addresses for services typically requiring 802.1X credentials
- Implement alerts for VPN authentication attempts that bypass expected certificate-based validation
- Review RADIUS profile configurations to identify shared profiles between 802.1X and MAC Authentication
Monitoring Recommendations
- Deploy network monitoring to track unusual authentication patterns and MAC address usage
- Configure SIEM rules to correlate authentication events across WiFi and VPN services
- Establish baseline authentication behavior to identify anomalous access attempts
- Regularly audit RADIUS configurations and authentication logs for compliance with security policies
How to Mitigate CVE-2025-24292
Immediate Actions Required
- Upgrade UniFi Network to a version newer than v9.1.120 that addresses this vulnerability
- Review and separate RADIUS profiles used for 802.1X and MAC Authentication services
- Audit current network access to identify any potentially unauthorized connections
- Implement network segmentation to limit the impact of potential unauthorized access
Patch Information
Ubiquiti has addressed this vulnerability in UniFi Network versions released after v9.1.120. Organizations should consult the UI Security Advisory Bulletin #049 for specific patch versions and update instructions. It is recommended to update to the latest available version to ensure all security fixes are applied.
Workarounds
- Create separate RADIUS profiles for 802.1X and MAC Authentication services to prevent cross-authentication
- Disable MAC Authentication on sensitive network segments until the patch can be applied
- Implement additional network access controls such as certificate pinning for VPN connections
- Enable strict authentication logging and monitoring to detect potential exploitation attempts
Administrators should review their UniFi Network RADIUS configuration to ensure authentication services are properly segregated:
# Configuration example
# Review UniFi Network RADIUS profile configuration
# Ensure separate profiles for 802.1X and MAC Authentication
# 1. Access UniFi Network Controller settings
# 2. Navigate to Profiles > RADIUS
# 3. Verify 802.1X and MAC Auth use separate profiles
# 4. If shared, create distinct profiles for each service
# 5. Apply changes and restart affected services
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
