CVE-2025-23164 in UniFi Protect Applicationinfo

Summary

by MITRE • 05/19/2025

A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding livestream subsequent to such link becoming disabled.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/19/2025

The vulnerability identified as CVE-2025-23164 represents a critical access control flaw within the Unifi Protect Application ecosystem, specifically affecting versions 5.3.41 and earlier. This issue stems from a misconfigured access token mechanism that fundamentally undermines the security model governing livestream sharing functionality. The flaw manifests when users generate "Share Livestream" links, which are intended to provide temporary access to specific camera feeds for designated recipients. The system's improper handling of token expiration and revocation processes creates a persistent security risk where authorized parties can continue accessing streams even after administrators have disabled the original sharing links. This misconfiguration directly violates fundamental security principles of time-bound access control and proper resource management, creating a scenario where access permissions can outlast their intended validity period.

The technical implementation of this vulnerability involves the application's failure to properly invalidate or revoke access tokens when sharing links are disabled or expire. Access tokens in this context serve as temporary credentials that should automatically become invalid upon link deactivation, yet the system maintains active session states or cached permissions that persist beyond the intended access window. This mechanism likely involves a combination of server-side token validation and client-side session management that fails to synchronize properly when administrative actions are taken to disable sharing links. The flaw creates a state inconsistency where the system's internal access control lists continue to grant permissions despite external commands to revoke access, essentially allowing unauthorized prolonged access to sensitive video feeds that should be restricted.

From an operational perspective, this vulnerability presents significant risks to organizations relying on Unifi Protect for security monitoring and surveillance. The persistent access capability means that any individual who received a sharing link before its disablement can continue to view live streams indefinitely, potentially exposing sensitive surveillance data to unauthorized parties. This issue is particularly concerning for environments where access to surveillance feeds is restricted to specific personnel or timeframes, as the vulnerability effectively nullifies these access controls. The impact extends beyond simple privacy concerns to potential data breaches, compliance violations, and operational security failures, especially in regulated environments where access to surveillance data must be strictly controlled and auditable. Organizations may find that their security monitoring systems, which depend on proper access controls, are compromised by this flaw.

Mitigation strategies for CVE-2025-23164 should focus on immediate remediation through software updates to versions that address the access token handling mechanism. Organizations should implement comprehensive access control audits to identify and revoke any existing persistent access sessions that may have been established before the vulnerability was patched. Network monitoring should be enhanced to detect unusual access patterns or extended viewing sessions that could indicate exploitation of this vulnerability. The implementation of proper token lifecycle management, including immediate invalidation upon link disablement, should be enforced through system configuration reviews and security testing. This vulnerability aligns with CWE-613, which addresses inadequate session management, and could be mapped to ATT&CK techniques related to privilege escalation and persistent access through weakened access controls. Organizations should also consider implementing additional security layers such as multi-factor authentication for administrative access and enhanced logging of sharing activities to provide better audit trails and incident response capabilities.

Responsible

Hackerone

Reservation

01/12/2025

Disclosure

05/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00297

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!