Security Advisory: UniFi Vulnerability

Flotek Security Advisory, Thumbnail

Security Advisory: UniFi Access Points and Switches Vulnerability (CVE-2023-38034)

A newly detected vulnerability, tagged as CVE-2023-38034, has spotlighted potential risks in the DHCP Client function of UniFi Access Points and Switches. This piece will outline the critical aspects of this vulnerability, its implications, and proactive steps to address the risks.


Insight into CVE-2023-38034

The DHCP Client function in UniFi Access Points and Switches has surfaced a significant vulnerability, identified as CVE-2023-38034. This loophole potentially allows Command Injection – a technique enabling unauthorised users to run arbitrary code from afar. Its severity is underlined by its capacity to provide attackers with unauthorized Remote Code Execution (RCE), jeopardizing the systems in question.


Affected Products

This vulnerability affects specific UniFi devices:

  • UniFi Access Points (Up to Version 6.5.53)
  • UniFi Switches (Up to Version 6.5.32) excluding the USW Flex Mini model.

Users of these devices are urged to evaluate their systems and implement needed security measures.


Potential Threats

Exploiting CVE-2023-38034 could lead to dire consequences. Attackers could utilise this gap to run arbitrary code, facilitating unauthorised entries, data theft, and possible UniFi device compromises.

The potential risks span from the exposure of confidential data to system infiltration.


Counteracting the Vulnerability

To enhance the security of the UniFi systems, prompt actions are indispensable. Recommended steps are:

  • UniFi Access Points: Transition to Version 6.5.62 or subsequent updates.
  • UniFi Switches: Shift to Version 6.5.59 or later.


Promptly updating the devices to the suggested versions is critical to avoid magnifying vulnerability risks, which can have far-reaching consequences.


For further Manufacturer advisory information please visit:

Flotek Response for customers

All managed support customers with Flotek Group cloud controlled access points are in the process of being patched outside of working hours, we will be contacting all customers to inform when this operation will be completed.

If you do not have your access points cloud controlled by Flotek, please get in touch with your account manager to discuss seperately.

Get in touch

We love to chat, call us or why not try our Live Chat?

AThe Maltings
East Tyndall Street
CF23 5EA

T02921 50 8000

A2 New Mill Court
Enterprise Park
Llansamlet  Swansea

T01792 345537

AUnit N12b, Phase 1
1 Davy Road
Plymouth Science Park, Plymouth

T02921 508000

AWarrington Business Park
Long Lane

T02921 508000

A4th Floor
Chantry House
SP10 1RL

T02921 508000

Malcolm Holland, the Managing Director of Flotek Group

Hi I’m Malcolm

Speak with me today

    When would you like to chat?