Home

Description

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.

PUBLISHED Reserved 2026-03-26 | Published 2026-03-27 | Updated 2026-05-25 | Assigner VulnCheck




HIGH: 7.7CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

HIGH: 7.5CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-295 Improper Certificate Validation

Product status

Default status
unaffected

Any version before 5.6.42
affected

5.6.43 (semver) before 5.10.22
affected

5.11 (custom) before 5.11.18
affected

References

community.ui.com/...003/982bbaa8-2a07-4f81-a5f6-0bb84753f391 vendor-advisory

www.vulncheck.com/...on-leading-to-credential-theft-via-mitm third-party-advisory

cve.org (CVE-2019-25652)

nvd.nist.gov (CVE-2019-25652)

Download JSON