CVE-2019-25652

Summary

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.

Affected Software

VendorProductVersion RangeStatus
UbiquitiUniFi Network Controller0 < 5.6.42affected
UbiquitiUniFi Network Controller5.6.43 < 5.10.22affected
UbiquitiUniFi Network Controller5.11 < 5.11.18affected

Weaknesses

  • CWE-295: CWE-295 Improper Certificate Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References