CVE-2016-6914 in UniFi Video
Summary
by MITRE
Ubiquiti UniFi Video before 3.8.0 for Windows uses weak permissions for the installation directory, which allows local users to gain SYSTEM privileges via a Trojan horse taskkill.exe file.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/17/2025
The vulnerability identified as CVE-2016-6914 affects Ubiquiti UniFi Video software versions prior to 3.8.0 on Windows operating systems. This issue stems from inadequate permission controls within the software installation directory, creating a significant security weakness that can be exploited by local attackers to escalate their privileges to the highest system level. The flaw represents a classic privilege escalation vulnerability that demonstrates poor security practices in software installation and directory access control mechanisms.
The technical root cause of this vulnerability lies in the weak permissions assigned to the UniFi Video installation directory during the software deployment process. When the application installs on Windows systems, it creates an installation directory with overly permissive access controls that allow any local user to modify or replace critical executable files within that location. Specifically, attackers can leverage this weakness by placing a malicious taskkill.exe file in the installation directory, which the legitimate UniFi Video process will execute with elevated privileges. This behavior exploits the principle of least privilege violation and demonstrates how default installation configurations can create attack vectors for privilege escalation.
The operational impact of CVE-2016-6914 is substantial as it allows any local user, regardless of their initial privilege level, to gain SYSTEM-level access to the affected Windows system. This privilege escalation capability transforms a standard user account into a full system administrator, enabling attackers to execute arbitrary code, modify system files, install malware, access sensitive data, and potentially establish persistent backdoors. The vulnerability is particularly dangerous because it requires no network connectivity or external exploitation vectors, making it an attractive target for attackers who have already gained initial access to a system through other means. The attack can be executed silently without requiring user interaction, as the malicious file is simply executed by the legitimate UniFi Video process.
From a cybersecurity framework perspective, this vulnerability maps directly to CWE-276, which describes improper file permissions, and aligns with ATT&CK technique T1068, which covers local privilege escalation. The weakness demonstrates a failure in secure software development practices and highlights the importance of implementing proper access controls during software installation. Organizations should immediately update to UniFi Video version 3.8.0 or later to address this vulnerability, while also implementing additional security measures such as regular permission audits, monitoring for unauthorized file modifications, and ensuring that software installations follow secure configuration guidelines. System administrators should conduct comprehensive vulnerability assessments to identify other software installations that may be affected by similar permission-related issues, and implement privilege separation mechanisms to limit the potential impact of such vulnerabilities in the future.
This vulnerability serves as a critical reminder of the importance of secure installation practices and proper access control implementation in software development. The weak permissions in the installation directory create a persistent security risk that can be exploited by attackers with minimal technical expertise, making it a particularly concerning flaw in enterprise security environments. The ease of exploitation and the high privilege level achieved through this vulnerability underscore the need for comprehensive security testing and secure configuration management practices across all software installations.