Ubiquiti UniFi Protect Camera Vulnerability Allows Remote Code Execution by Attackers

Critical security vulnerabilities in Ubiquiti’s UniFi Protect surveillance ecosystem-one rated the maximum severity score of 10.0-could allow attackers to hijack cameras, execute malicious code remotely, and maintain unauthorized access to video feeds.

The flaws, disclosed on May 6, 2025, affect the UniFi Protect Cameras firmware and the UniFi Protect Application, exposing enterprise and home surveillance systems to exploitation.

Security researchers have urged immediate patching to mitigate risks of network compromise and privacy breaches.

The most severe vulnerability, tracked as CVE-2025-23123, stems from a heap buffer overflow in the firmware of UniFi Protect Cameras (versions 4.75.43 and earlier).

Attackers with access to the management network can exploit this flaw to trigger remote code execution (RCE), granting full control over affected devices.

The vulnerability’s CVSS v3.0 score of 10.0 reflects its criticality, with the attack vector classified as network-based (AV:N), requiring no user interaction or privileges (PR:N/UI:N).

Heap buffer overflows occur when a program writes data beyond the allocated memory space, corrupting adjacent data structures.

In this case, malformed network packets sent to the camera’s management interface overwhelm the buffer, enabling attackers to overwrite critical memory addresses.

Successful exploitation could allow deployment of malware, manipulation of video feeds, or lateral movement across connected networks.

The flaw’s “high” impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) underscore its potential to disrupt physical security infrastructure.

Researcher Mathew Marcus, credited with discovering the vulnerability, emphasized that unpatched cameras in corporate or critical infrastructure environments could serve as entry points for ransomware attacks or espionage.

Ubiquiti has not disclosed whether active exploitation has been observed, but the absence of exploit complexity (AC:L) suggests low barriers for threat actors.

Misconfigured Livestream Sharing Tokens

A secondary vulnerability, CVE-2025-23164 (CVSS 4.4), affects the UniFi Protect Application (versions 5.3.41 and earlier).

The flaw resides in the “Share Livestream” feature, which generates time-limited access links for external users.

Due to a misconfigured token revocation mechanism, recipients of disabled links retain access to livestreams indefinitely.

While less severe than the RCE flaw, this oversight creates persistent privacy risks, particularly for organizations sharing sensitive footage.

The attack vector requires initial access to a legitimate livestream link (PR:H) and hinges on Ubiquiti’s failure to invalidate tokens upon link deactivation.

Though the complexity is high (AC:H), successful exploitation allows unauthorized parties to monitor video feeds covertly.

Researcher Mike S Schonert noted that threat actors could combine this flaw with social engineering tactics to harvest valid links, amplifying the risk of data leaks.

Unlike the network-wide implications of CVE-2025-23123, this vulnerability’s scope is limited to compromised livestreams (S:U).

However, industries like healthcare or education-where video feeds often contain sensitive personal data-face heightened exposure.

Ubiquiti’s advisory confirms that the flaw does not permit access to historical footage or other system components, mitigating its broader impact.

Mitigation and Vendor Response

Ubiquiti has released firmware updates to address both vulnerabilities. UniFi Protect Cameras must be upgraded to version 4.75.62 or later to resolve CVE-2025-23123, while the UniFi Protect Application requires version 5.3.45 or newer to fix CVE-2025-23164.

The patches, distributed via Ubiquiti’s auto-update mechanism, modify memory management routines in the camera firmware and introduce strict token expiration protocols in the Protect Application.

Organizations unable to apply immediate updates should segment surveillance networks from critical infrastructure, restrict management interface access, and audit active livestream links.

Ubiquiti has also recommended disabling the “Share Livestream” feature until patches are deployed, though this may hinder collaboration in security operations centers.

While no workarounds exist for the RCE vulnerability, its exploitation requires proximity to the management network.

Enterprises should enforce zero-trust principles, requiring multi-factor authentication for network access and monitoring for anomalous traffic patterns.

The staggered disclosure timeline-with fixes released concurrently with advisories-highlights the coordinated effort between Ubiquiti and external researchers to minimize exposure windows.

As surveillance systems increasingly integrate with IoT ecosystems, these vulnerabilities underscore the importance of firmware hygiene.

With over 1.2 million UniFi Protect devices deployed globally, timely patching remains the most effective defense against weaponized exploits targeting physical and digital security infrastructures.