Cybersecurity researchers from the firm Armis discovered a set of 11 vulnerabilities, collectively named Cloud-Brk, within Ubiquiti’s cloud management platform. These flaws exposed the company’s networking and Internet of Things (IoT) devices to a silent, unauthenticated remote takeover by attackers.

The attack chain demonstrated by the researchers allowed for a complete bypass of firewall protections, enabling an intruder to gain root-level access to vulnerable devices such as network switches and access points. The method did not require an attacker to be present on the local network to execute the compromise.

The Cloud-Brk Attack Method

The core of the Cloud-Brk exploit involved chaining two specific vulnerabilities together, one of which was a zero-day flaw. The attack exploited weaknesses in the process Ubiquiti devices use to discover and connect to the UniFi cloud management platform. Researchers found they could impersonate either a device to the cloud or the cloud to a device.

A key flaw was identified as an “improper validation of client” on the STUN server used by the system for device discovery. By exploiting this and a subsequent path traversal bug, an attacker could push malicious firmware to a target device. This provided a direct path to gaining control and moving laterally across a corporate network, bypassing existing network segmentation.

Discovery and Remediation

The Armis research team identified the vulnerabilities and presented their detailed findings at the Black Hat USA security conference. Following responsible disclosure practices, Armis reported the security issues to Ubiquiti prior to the public announcement.

In response to the disclosure, Ubiquiti developed and released patches to remediate the Cloud-Brk vulnerabilities. The patches address the security gaps in the cloud management platform, securing the affected access points and other network devices against the demonstrated attack vectors.