Ubiquiti UniFi Connect EV Station Pro up to 1.5.26 API access control

Summaryinfo

A vulnerability was found in Ubiquiti UniFi Connect EV Station Pro, UniFi Connect Display, UniFi Connect Display Cast, UniFi Connect Display Cast Pro and UniFi Connect Display Cast Lite up to 1.5.26 and classified as critical. This vulnerability affects unknown code of the component API. Executing a manipulation can lead to access control. The identification of this vulnerability is CVE-2025-27213. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

Detailsinfo

A vulnerability was found in Ubiquiti UniFi Connect EV Station Pro, UniFi Connect Display, UniFi Connect Display Cast, UniFi Connect Display Cast Pro and UniFi Connect Display Cast Lite up to 1.5.26. It has been declared as critical. This vulnerability affects an unknown code of the component API. The manipulation with an unknown input leads to a access control vulnerability. The CWE definition for the vulnerability is CWE-284. The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. As an impact it is known to affect confidentiality, integrity, and availability. CVE summarizes:

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Affected Products: UniFi Connect EV Station Pro (Version 1.5.18 and earlier) UniFi Connect Display (Version 1.9.324 and earlier) UniFi Connect Display Cast (Version 1.9.301 and earlier) UniFi Connect Display Cast Pro (Version 1.0.78 and earlier) UniFi Connect Display Cast Lite (Version 1.0.3 and earlier) Mitigation: Update UniFi Connect EV Station Pro to Version 1.5.27 or later Update UniFi Connect Display to Version 1.13.6 or later Update UniFi Connect Display Cast to Version 1.10.3 or later Update UniFi Connect Display Cast Pro to Version 1.0.83 or later Update UniFi Connect Display Cast Lite to Version 1.1.3 or later

The advisory is shared for download at community.ui.com. This vulnerability was named CVE-2025-27213 since 02/20/2025. The exploitation appears to be easy. The attack can be initiated remotely. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1068.

Upgrading to version 1.5.27 eliminates this vulnerability. The upgrade is hosted for download at community.ui.com.

Once again VulDB remains the best source for vulnerability data.

Productinfo

Vendor

• Ubiquiti

Name

• UniFi Connect Display
• UniFi Connect Display Cast
• UniFi Connect Display Cast Lite
• UniFi Connect Display Cast Pro
• UniFi Connect EV Station Pro

Version

• 1.5.0
• 1.5.1
• 1.5.2
• 1.5.3
• 1.5.4
• 1.5.5
• 1.5.6
• 1.5.7
• 1.5.8
• 1.5.9
• 1.5.10
• 1.5.11
• 1.5.12
• 1.5.13
• 1.5.14
• 1.5.15
• 1.5.16
• 1.5.17
• 1.5.18
• 1.5.19
• 1.5.20
• 1.5.21
• 1.5.22
• 1.5.23
• 1.5.24
• 1.5.25
• 1.5.26

License

• commercial

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion