UniFi Network Controller Improper Certificate Validation Leading to Credential Theft via MITM
Summary
UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.
What this means
In plain English
UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.
Vulnerable items
- UniFi Network Controller — UniFi Network Controller is a Ubiquiti management component used to administer connected systems or services.
Recommended action
Primary action: update to a vendor-listed fixed release: 5.6.42, 5.10.22, 5.11.18.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- UniFi Network Controller before 5.6.42
- UniFi Network Controller 5.6.43 before 5.10.22
- UniFi Network Controller 5.11 before 5.11.18
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 5.6.42
- 5.10.22
- 5.11.18
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 5.6.42, 5.10.22, 5.11.18. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.