Ubiquiti · Unifi Controller · CVE-2014-2225
**Name of the Vulnerable Software and Affected Versions**
UniFi Controller versions prior to 3.2.1
**Description**
The issue allows remote attackers to hijack the authentication of administrators for various requests, including creating a new admin user, changing guest settings, blocking or unblocking users, and modifying syslog settings. Specifically, the affected API endpoints include "api/add/admin" for creating a new admin user, "api/add/wlanconf" for unspecified impact, "api/set/setting/guest access" for changing guest password, authentication method, or restricted subnets, "api/cmd/stamgr" for blocking, unblocking, or reconnecting users by MAC address, "api/set/setting/rsyslogd" for changing the syslog server or port, "api/set/setting/smtp" for unspecified impact, "api/cmd/cfgmgr" for changing syslog server, port, or authentication settings, and "api/set/setting/identity" for changing the Unifi Controller name.
**Recommendations**
For versions prior to 3.2.1, update to version 3.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected API endpoints until a patch is available. Avoid using the vulnerable API endpoints for sensitive operations until the issue is resolved.