CVE-2021-22957
📋 TL;DR
A Cross-Origin Resource Sharing (CORS) vulnerability in UniFi Protect application allows attackers to perform cross-origin attacks when a privileged user visits a malicious URL. This can lead to account takeover of the privileged user. Affects UniFi Protect application Version 1.19.2 and earlier.
💻 Affected Systems
- UniFi Protect application
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of privileged user accounts, potentially leading to full administrative control over UniFi Protect systems and connected devices.
Likely Case
Account takeover of administrators or privileged users who access malicious links, enabling attackers to modify configurations, access video feeds, or disrupt operations.
If Mitigated
Limited impact if proper access controls, network segmentation, and user awareness training prevent privileged users from accessing malicious URLs.
🎯 Exploit Status
Exploitation requires social engineering to trick privileged users into visiting malicious URLs. The technical exploit itself is straightforward once user interaction is achieved.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.20.0 and later
Vendor Advisory: https://community.ui.com/releases/Security-Advisory-Bulletin-021-021/62bd8841-6603-4fee-9dba-73037148f173
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Download UniFi Protect Version 1.20.0 or later from official UI sources. 3. Install the update following vendor documentation. 4. Restart the UniFi Protect service or host system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate UniFi Protect management interface from user networks and restrict access to trusted IPs only.
User Awareness Training
allTrain privileged users to avoid clicking unknown links and to verify URL sources before accessing management interfaces.
🧯 If You Can't Patch
- Implement strict network access controls to limit UniFi Protect management interface access to specific trusted IP addresses only.
- Use browser security extensions or configurations that block cross-origin requests and enforce same-origin policies.
🔍 How to Verify
Check if Vulnerable:
Check UniFi Protect application version in the web interface under Settings > System > About. If version is 1.19.2 or earlier, the system is vulnerable.Check Version:
Check via UniFi Protect web interface: Settings > System > AboutVerify Fix Applied:
After updating, verify the version shows 1.20.0 or later in the web interface. Test that the application functions normally and review logs for any errors.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-origin requests in web server logs
- Multiple failed authentication attempts from unexpected origins
- Configuration changes from unfamiliar IP addresses
Network Indicators:
- Unexpected cross-origin HTTP requests to UniFi Protect API endpoints
- Traffic patterns suggesting credential harvesting or session hijacking
SIEM Query:
source="unifi-protect-logs" AND (http_referer CONTAINS suspicious_domain OR origin_header CONTAINS malicious_domain)