Ubiquiti has released urgent security updates for its UniFi Protect camera firmware and application after disclosing two vulnerabilities, one of which received a critical CVSS score of 10.0 due to its remote code execution (RCE) potential.
Both flaws could allow attackers to gain unauthorized access to video streams or execute code remotely, posing serious risks to network and physical security.
The first vulnerability, tracked as CVE-2025-23123 and discovered by researcher Mathew Marcus, affects UniFi Protect Cameras running firmware version 4.75.43 and earlier. It stems from a heap buffer overflow that could be exploited by an attacker with access to the management network. If successfully exploited, it could allow for remote code execution with high confidentiality, integrity, and availability impacts. Ubiquiti has patched the issue in firmware version 4.75.62, which is now available for all supported camera models.
The second flaw, identified as CVE-2025-23164 and credited to Mike S. Schonert, involves a misconfigured access token mechanism in the UniFi Protect Application versions 5.3.41 and earlier. When a livestream was shared via the “Share Livestream” link, users could continue accessing it even after the link was disabled. This represents a medium-severity flaw with a CVSS score of 4.4, highlighting a security oversight in session invalidation. The fix was implemented in UniFi Protect Application version 5.3.45.
UniFi Protect is Ubiquiti's proprietary video surveillance platform, widely deployed in both enterprise and residential environments. It integrates with Ubiquiti's network hardware and supports various models of IP cameras, offering local and cloud-based management through the UniFi OS ecosystem. Given its use in security-critical environments, any compromise can have broad implications.
Despite the availability of patches, community feedback suggests that upgrading to the fixed versions may introduce operational friction. In the 5.3.45 application update thread, users reported post-update issues, including camera access problems for limited-permission users, livestream resolution drops, and dashboard interfaces showing only promotional content instead of live feeds. Several users were required to manually reassign camera permissions or perform firmware rollbacks to restore functionality. Others noted lingering problems with custom doorbell sounds and call group settings.
Similarly, for firmware version 4.75.62, some camera models — particularly G3, G4, and G5 series — failed to reconnect after updating, requiring physical resets or multi-step upgrade paths. Additional issues include choppy video on PTZ models, vehicle detection anomalies, and persistent bugs with spotlight activation and playback framerate on certain browsers.
Still, despite the potential problems that the updates may introduce, the severity of CVE-2025-23123 is such that delaying their application could expose networks to high-impact intrusions.
Leave a Reply