Critical SQL Injection Vulnerability in UISP Application
CVE-2025-24290 is a critical security vulnerability classified as Multiple Authenticated SQL Injection flaws in the UISP Application (version 2.4.206 and earlier) developed by Ubiquiti Inc. These vulnerabilities allow a malicious actor with low privileges—meaning even users with minimal access—to escalate their privileges significantly within the system.
What is the Vulnerability?
SQL Injection (SQLi) vulnerabilities occur when an application improperly sanitizes user inputs that are used in SQL queries, allowing attackers to manipulate the database queries executed by the application. In this case, the UISP Application contains multiple such injection points that require authentication but can be exploited by users with low-level access to gain unauthorized higher privileges.
Impact and Severity
- Base Score: 9.9 (CRITICAL)
- Impact: Allows attackers to escalate privileges, potentially gaining administrative or root-level access.
- Scope: Changed — the attack can affect resources beyond the initially compromised component.
- Attack Vector: Network-based, requiring authentication but low privileges.
- User Interaction: None required beyond authentication.
- Confidentiality, Integrity, Availability: All rated high impact, meaning attackers can steal, modify, or disrupt data and system operations.
How the Exploit Works: Sample Scenario
- Initial Access: An attacker with a low-privilege account logs into the UISP Application.
- Injection: The attacker crafts malicious SQL payloads targeting vulnerable input fields or API endpoints that interact with the database.
- Privilege Escalation: By injecting SQL commands, the attacker manipulates database queries to bypass normal access controls, modify user roles, or extract sensitive data.
- Outcome: The attacker gains elevated privileges, such as administrative rights, allowing full control over the application and potentially the underlying network devices managed by UISP.
For example, if the application uses a query like:
sql
SELECT * FROM users WHERE username = 'user_input' AND role = 'low_privilege';
An attacker might inject:
sql
' OR '1'='1'; --
transforming the query to:
sql
SELECT * FROM users WHERE username = '' OR '1'='1'; --' AND role = 'low_privilege';
which always returns true, bypassing role checks and escalating privileges.
Affected Versions and Mitigation
- Affected: UISP Application versions 2.4.206 and earlier.
- Fixed in: Version 2.4.207 and later.
- Mitigation: Immediate upgrade to the latest UISP Application version is strongly recommended to patch these vulnerabilities.
Why This Matters
UISP is a network management platform widely used to control Ubiquiti network devices. Exploiting these SQL injection flaws can allow attackers to:
- Gain unauthorized access to network management controls.
- Modify configurations or disrupt network operations.
- Access sensitive customer or network data.
- Establish persistent backdoors for long-term control.
Given the critical severity and ease of exploitation by low-privilege users, this vulnerability poses a significant risk to organizations relying on UISP for network management.
In summary, CVE-2025-24290 represents a critical authenticated SQL injection vulnerability in UISP Application versions 2.4.206 and earlier, enabling low-privilege attackers to escalate privileges and potentially take full control of network management systems. Immediate patching by upgrading to version 2.4.207 or later is essential to mitigate this risk.
- https://nvd.nist.gov/