CVE-2025-27212
Published: 04 August 2025
Summary
CVE-2025-27212 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Ui (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 11.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-27212 is an improper input validation vulnerability, also described under CWE-20 and CWE-77, that permits command injection in multiple UniFi Access hardware devices. The affected products are UniFi Access Reader Pro (versions 2.14.21 and earlier), UniFi Access G2 Reader Pro (1.10.32 and earlier), UniFi Access G3 Reader Pro (1.10.30 and earlier), UniFi Access Intercom (1.7.28 and earlier), UniFi Access G3 Intercom (1.7.29 and earlier), and UniFi Access Intercom Viewer (1.3.20 and earlier). The flaw received a CVSS 3.1 base score of 9.8.
An attacker with network access to the UniFi Access management network can supply crafted input that results in arbitrary command execution, potentially compromising confidentiality, integrity, and availability of the device without requiring authentication or user interaction.
The vendor advisory recommends immediate updates to the following fixed releases: UniFi Access Reader Pro 2.15.9 or later, UniFi Access G2 Reader Pro 1.11.23 or later, UniFi Access G3 Reader Pro 1.11.22 or later, UniFi Access Intercom 1.8.22 or later, UniFi Access G3 Intercom 1.8.22 or later, and UniFi Access Intercom Viewer 1.4.39 or later. The associated EPSS score remains flat at 0.0379 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23556
Vulnerability details
An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Affected Products: UniFi Access Reader Pro (Version 2.14.21 and earlier) UniFi Access G2 Reader Pro…
more
(Version 1.10.32 and earlier) UniFi Access G3 Reader Pro (Version 1.10.30 and earlier) UniFi Access Intercom (Version 1.7.28 and earlier) UniFi Access G3 Intercom (Version 1.7.29 and earlier) UniFi Access Intercom Viewer (Version 1.3.20 and earlier) Mitigation: Update UniFi Access Reader Pro Version 2.15.9 or later Update UniFi Access G2 Reader Pro Version 1.11.23 or later Update UniFi Access G3 Reader Pro Version 1.11.22 or later Update UniFi Access Intercom Version 1.8.22 or later Update UniFi Access G3 Intercom Version 1.8.22 or later Update UniFi Access Intercom Viewer Version 1.4.39 or later
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection vulnerability directly enables exploitation of public-facing/network-accessible applications (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the improper input validation vulnerability by enforcing validation of all inputs to prevent command injection.
Mandates timely flaw remediation through patching to the specified updated firmware versions that fix the command injection vulnerability.
Restricts network access to the UniFi Access management network, reducing the opportunity for malicious actors to reach and exploit the vulnerable devices.