Critical Ubiquiti UniFi Protect Vulnerabilities Are Being Targeted: Patch Now

A critical vulnerability in Ubiquiti UniFi Protect camera firmware, tracked as CVE-2025-23123, carries a CVSS score of 10.0 and allows unauthenticated remote code execution. Security researchers have confirmed that attackers are actively scanning for and targeting exposed UniFi Protect devices, and Shodan queries show thousands of UniFi Protect systems still reachable from the internet. If your business uses Ubiquiti UniFi cameras or other UniFi Protect infrastructure, patch your firmware immediately.

Ubiquiti equipment is common in small and mid-sized businesses because it offers enterprise-style features at a lower price point than Cisco or Fortinet alternatives. That popularity makes these vulnerabilities especially relevant for SMBs: many businesses deployed UniFi cameras for office security, warehouse monitoring, or facility access control and may not have a structured process for updating firmware on those devices.

What the Vulnerabilities Do

CVE-2025-23123 is a heap buffer overflow in the UniFi Protect camera firmware. An attacker who can reach a vulnerable camera over the network can send a specially crafted request that overflows a buffer in memory, allowing them to execute arbitrary code on the device with full system privileges. No authentication is required. A perfect CVSS 10.0 means maximum severity across every scoring dimension: network-accessible, low complexity, no privileges required, no user interaction needed, and complete compromise of confidentiality, integrity, and availability.

Once an attacker has code execution on a camera, they have a foothold inside your network. Cameras typically sit on the same network as other internal systems, or at minimum on a poorly segmented VLAN that has access to management interfaces. From a compromised camera, an attacker can pivot to other devices on the network, intercept traffic, establish persistent access, or use the device as a launching point for lateral movement toward servers, workstations, and Active Directory.

Ubiquiti disclosed additional vulnerabilities alongside CVE-2025-23123. CVE-2025-23124 is a stored cross-site scripting flaw in the UniFi Protect Application that could allow an attacker to inject malicious scripts into the management interface. CVE-2025-23125 is a denial-of-service vulnerability in the same application that could be used to crash the surveillance management platform. Both carry CVSS 7.5 ratings. The combination of all three means an attacker could compromise cameras, inject scripts into the management console, and disrupt surveillance operations simultaneously.

Why SMBs Are Disproportionately Exposed

Enterprise organizations typically segment their camera systems onto isolated VLANs with strict firewall rules that prevent cameras from communicating with anything except the video management server. Most SMBs do not do this. A 75-person company that deployed UniFi cameras usually put them on the same network as everything else, managed through the same UniFi controller that handles their Wi-Fi access points and switches.

That flat network architecture turns a camera vulnerability into a full network compromise path. If your cameras can reach your file server, your domain controller, and your workstations, an attacker who compromises a camera can reach them too.

The other exposure factor is firmware management. Ubiquiti devices are often deployed and forgotten. Unlike Windows endpoints that receive patches through automated systems like WSUS or your RMM platform, camera firmware updates require someone to actively check for new versions and apply them. Many SMBs have never updated their camera firmware after the initial installation.

Researchers found that thousands of UniFi Protect devices are directly accessible from the internet, meaning they don’t even have basic firewall protection between them and the public internet. Some of these are intentionally exposed for remote viewing. Others are exposed through misconfigured port forwarding, UPnP, or cloud relay configurations that bypass the firewall entirely.

What to Do Right Now

1. Update UniFi Protect Firmware and Application

Ubiquiti has released patched versions that address all three CVEs. Update your UniFi Protect camera firmware and your UniFi Protect Application (the NVR/management software) to the latest available versions. Log into your UniFi controller, check for available firmware updates across all adopted devices, and apply them.

If you have cameras running firmware that is more than six months old, you should treat this as urgent. The vulnerability has been public for over a year, exploit code circulates freely, and attackers are actively scanning for vulnerable devices.

2. Remove Internet Exposure

No security camera should be directly accessible from the internet. If your UniFi Protect system is reachable from outside your network, fix that today.

• Disable UPnP on your firewall. UPnP allows devices to automatically create port forwarding rules, and cameras will use this to make themselves accessible from the internet without anyone deliberately configuring it.
• Audit your firewall rules for port forwarding to UniFi devices. Remove any rules that forward traffic from the internet to camera IP addresses or the UniFi Protect application port.
• If you need remote camera access, use a VPN to connect to your network first, then access the cameras through the internal network. Ubiquiti’s cloud remote access feature routes through Ubiquiti’s servers, which adds a layer of protection, but direct port forwarding bypasses this entirely.

3. Segment Your Camera Network

Cameras should live on their own VLAN with firewall rules that restrict what they can communicate with. At minimum, cameras should only be able to talk to the UniFi Protect NVR and receive DNS. They should not have access to your file servers, domain controllers, workstations, or the broader internet.

If you run a UniFi Security Gateway or UniFi Dream Machine as your firewall, these devices support VLAN creation and inter-VLAN firewall rules natively. Your managed IT provider can configure this in an afternoon, and it dramatically reduces the blast radius of any future camera vulnerability.

4. Audit for Compromise Indicators

If your cameras were running vulnerable firmware and were accessible from the internet (or from a network segment that internet-facing devices also occupy), you should check for signs of compromise.

• Review UniFi controller logs for unexpected device adoptions, configuration changes, or firmware rollback attempts.
• Check network traffic logs from your firewall for unusual outbound connections from camera IP addresses, especially to unfamiliar external hosts or on non-standard ports.
• Look for new or modified firewall rules that you or your team did not create, which could indicate an attacker establishing persistent remote access.

If you find anything suspicious, isolate the affected cameras from the network, preserve logs, and engage your security provider for a full investigation before reconnecting the devices.

The Firmware Blind Spot

This incident highlights a broader problem that affects most SMBs: firmware on network devices, cameras, access points, switches, and firewalls often goes unpatched for months or years because it falls outside the scope of standard endpoint patching tools.

Your automated patch management system handles Windows updates, Office patches, and third-party application updates on workstations and servers. It does not handle firmware on IoT devices, cameras, or network infrastructure. That gap creates a blind spot where critical vulnerabilities persist long after fixes are available.

A structured vulnerability management program includes firmware in its scanning scope. Regular vulnerability scans that cover your full IP range (not just endpoints) will flag devices running outdated firmware, giving you visibility into exactly which devices need attention. Our network management service includes firmware lifecycle tracking for all managed network devices, so cameras and access points get the same patching discipline as workstations.

The pattern here is the same one we see with VPN gateway vulnerabilities and firewall zero-days: network infrastructure devices that sit outside normal patching workflows become the entry point. The fix is not just patching this one CVE. The fix is building a process that ensures firmware updates on every device in your environment are tracked, tested, and applied consistently.

Checklist

1. Update all UniFi Protect camera firmware to the latest version through your UniFi controller
2. Update the UniFi Protect Application (NVR software) to the latest version
3. Disable UPnP on your firewall to prevent automatic port forwarding
4. Remove any port forwarding rules that expose cameras or the UniFi Protect application to the internet
5. Create a dedicated camera VLAN with firewall rules restricting camera traffic to the NVR only
6. Review controller and firewall logs for signs of unauthorized access or unusual outbound traffic from camera IPs
7. Establish a firmware update schedule for all network devices, not just endpoints

If you need help assessing your Ubiquiti environment or want to verify your network segmentation is effective, contact our team at 800-985-1365. We provide managed security services and network monitoring for businesses across Texas and Oklahoma.