Impact
An Improper Initialization flaw in the UniFi Protect Application allows a malicious actor who has network access to bypass authentication, granting unauthorized control over UniFi Protect Cameras. The vulnerability, classified as CWE-665, can be triggered when the application initializes camera sessions without properly validating authentication tokens, enabling an attacker to send requests that the cameras accept as legitimate. The primary consequence is loss of confidentiality, integrity, and availability of camera data and control interfaces, potentially allowing malicious recording, playback, or command execution.
Affected Systems
The flaw affects Ubiquiti Inc’s UniFi Protect Application, which manages the firmware and configuration of UniFi Protect Cameras. All camera models that rely on this application for authentication are susceptible, though the exact versions impacted are not enumerated in the public data. Administrators should review deployment configurations for this product line for potential exposure.
Risk and Exploitability
The CVSS score of 7.5 reflects a high risk of exploitation. The EPSS score is < 1%, indicating a very low, non‑zero exploitation probability, but the absence of a KEV listing suggests no current widespread exploitation reports. The likely attack vector is an attacker who has compromised or accessed the local network where the cameras reside; under certain conditions, the improper initialization can be triggered by unauthenticated request patterns that the cameras accept. While exploitation requires network proximity and specific configuration states, the severity warrants prompt action.
OpenCVE Enrichment