CVE-2014-2225: 
Ubiquiti UniFi vulnerability analysis and mitigation

CVE-2014-2225 is a Cross-site Request Forgery (CSRF) vulnerability affecting multiple Ubiquiti Networks products including UniFi Controller v2.4.6, mFi Controller v2.0.15, and AirVision Controller v2.1.3. The vulnerability was discovered and reported in February 2014 by security researcher Seth Art (Sethsec Blog, Full Disclosure).

The vulnerability allows an unauthenticated attacker to send malicious hyperlinks to authenticated administrators. When clicked, these links can force administrators to perform unauthorized actions without their knowledge. The most severe impact allows attackers to create additional administrator accounts. The vulnerability exists due to the absence of non-predictable nonces in various API endpoints, including /api/add/admin, /api/set/setting/guest_access, and multiple other administrative functions (Sethsec Blog).

An attacker can exploit this vulnerability to perform administrative actions on behalf of authenticated users, including creating new administrator accounts, configuring system settings, and modifying server configurations. Once a new admin account is created, the attacker can gain full administrative access to the affected systems if they have network access to the controller (Sethsec Blog).

Users should upgrade to the following patched versions: UniFi Controller v3.2.1 or greater, mFi Controller v2.0.24 or greater, and UniFi Video v3.0.1 or greater (formerly AirVision). Note that AirVision Controller was renamed to UniFi Video in the fixed version (Full Disclosure).