Description
A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras.
Published: 2026-07-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An Improper Initialization flaw in the UniFi Protect Application allows a malicious actor who has network access to bypass authentication, granting unauthorized control over UniFi Protect Cameras. The vulnerability, classified as CWE-665, can be triggered when the application initializes camera sessions without properly validating authentication tokens, enabling an attacker to send requests that the cameras accept as legitimate. The primary consequence is loss of confidentiality, integrity, and availability of camera data and control interfaces, potentially allowing malicious recording, playback, or command execution.

Affected Systems

The flaw affects Ubiquiti Inc’s UniFi Protect Application, which manages the firmware and configuration of UniFi Protect Cameras. All camera models that rely on this application for authentication are susceptible, though the exact versions impacted are not enumerated in the public data. Administrators should review deployment configurations for this product line for potential exposure.

Risk and Exploitability

The CVSS score of 7.5 reflects a high risk of exploitation. The EPSS score is < 1%, indicating a very low, non‑zero exploitation probability, but the absence of a KEV listing suggests no current widespread exploitation reports. The likely attack vector is an attacker who has compromised or accessed the local network where the cameras reside; under certain conditions, the improper initialization can be triggered by unauthenticated request patterns that the cameras accept. While exploitation requires network proximity and specific configuration states, the severity warrants prompt action.

Generated by OpenCVE AI on July 3, 2026 at 18:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest vendor patch for the UniFi Protect Application to address the Improper Initialization flaw.
  • Update camera firmware to the version that includes the authentication fix provided by Ubiquiti.
  • Limit camera network exposure by restricting access to trusted hosts, enforcing VLAN isolation, and configuring firewall rules that block unauthenticated traffic.

Generated by OpenCVE AI on July 3, 2026 at 18:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 18:30:00 +0000

Type Values Removed Values Added
Title Improper Initialization Allows Authentication Bypass in UniFi Protect Cameras

Fri, 03 Jul 2026 10:45:00 +0000

Type Values Removed Values Added
Title UniFi Protect Camera Authentication Bypass via Improper Initialization

Thu, 02 Jul 2026 23:45:00 +0000

Type Values Removed Values Added
Title UniFi Protect Camera Authentication Bypass via Improper Initialization

Thu, 02 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 15:15:00 +0000

Type Values Removed Values Added
Description A malicious actor with access to the network and under certain conditions could exploit an Improper Initialization vulnerability found in UniFi Protect Application to bypass authentication in UniFi Protect Cameras.
Weaknesses CWE-665
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-07-02T16:10:07.537Z

Reserved: 2026-06-13T15:00:00.605Z

Link: CVE-2026-54409

cve-icon Vulnrichment

Updated: 2026-07-02T16:10:00.967Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-03T18:15:15Z

Weaknesses