Cyber Resilience

CVE-2019-25651

HighPublic PoC

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0001 0.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25651 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Ui (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 0.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Deeper analysis

CVE-2019-25651 is a cryptographic vulnerability in Ubiquiti UniFi products, stemming from the use of AES-CBC encryption for device-to-controller communication. This implementation contains weaknesses that enable attackers to recover encryption keys from captured traffic, linked to CWE-327 (Use of a Broken or Risky Cryptographic Algorithm). Affected components include UniFi Network Controller prior to version 5.10.12 (excluding 5.6.42), UAP firmware prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor firmware prior to 3.8.17, USW firmware prior to 4.0.6, and USG firmware prior to 4.4.34. The issue carries a CVSS v3.1 base score of 8.3 (AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H).

Attackers with adjacent network access can exploit this by capturing sufficient encrypted traffic between devices and the controller, then leveraging AES-CBC mode vulnerabilities—such as padding oracle or chosen-plaintext attacks—to derive the encryption keys. Successful exploitation grants unauthorized control and management of affected network devices, compromising confidentiality, integrity, availability, and expanding the attack surface due to the changed scope.

Ubiquiti's Security Advisory Bulletin and related vendor guidance recommend upgrading to patched versions, such as UniFi Network Controller 5.10.12 or later, UAP firmware 4.0.6 or later, UAP-AC series firmware 3.8.17 or later, USW firmware 4.0.6 or later, and USG firmware 4.4.34 or later, to mitigate the key recovery risk. Additional details are available in the Ubiquiti community advisory and VulnCheck analysis.

EU & UK References

Vulnerability details

Ubiquiti UniFi Network Controller prior to 5.10.12 (excluding 5.6.42), UAP FW prior to 4.0.6, UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17, USW FW prior to 4.0.6, USG FW prior to 4.4.34 uses AES-CBC encryption for device-to-controller communication,…

more

which contains cryptographic weaknesses that allow attackers to recover encryption keys from captured traffic. Attackers with adjacent network access can capture sufficient encrypted traffic and exploit AES-CBC mode vulnerabilities to derive the encryption keys, enabling unauthorized control and management of network devices.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Vulnerability enables offline key recovery from passively captured device-controller traffic (T1040) and subsequent decryption/re-encryption of the channel for unauthorized control (T1557).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13476Shared CWE-327
CVE-2025-66597Shared CWE-327
CVE-2025-66598Shared CWE-327
CVE-2024-8603Shared CWE-327
CVE-2026-24785Shared CWE-327
CVE-2024-31896Shared CWE-327
CVE-2024-4282Shared CWE-327
CVE-2026-1627Shared CWE-327
CVE-2026-1626Shared CWE-327
CVE-2026-34950Shared CWE-327

Affected Assets

Ui
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates implementation of NIST-approved cryptographic mechanisms to protect device-to-controller communications, directly addressing the weak AES-CBC encryption that enables key recovery from captured traffic.

prevent

Requires protection of confidentiality and integrity for transmitted information using appropriate cryptographic controls, mitigating risks from capturing and exploiting encrypted traffic between Ubiquiti devices and controller.

prevent

Ensures timely identification, reporting, and remediation of flaws like the AES-CBC cryptographic weakness through patching to vendor-recommended versions.

References