Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Flaw Possibly Affecting 500,000 Ubiquiti Devices Exploited in the Wild

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Nearly half a million Ubiquiti devices may be affected by a vulnerability that has already been exploited in the wild, security experts warned last week.

Jim Troutman, consultant and director of the Northern New England Neutral Internet Exchange (NNENIX), revealed last week on Twitter that hackers had been remotely targeting Ubiquiti networking devices exposed via a discovery service accessible on UDP port 10001.

Troutman said attackers had been launching denial-of-service (DoS) attacks that caused a device’s management features to become unavailable. He also warned that it’s possible to exploit the flaw for weak distributed DoS (DDoS) attacks.

The issue has been discussed on Ubiquiti forums since at least last summer and Rapid7 has reported seeing traffic destined for port 10001 for more than a year. However, Ubiquiti appears to have been aware of the weakness and it alerted users after Troutman’s warning on Twitter.

The vendor claims it has been working on a firmware update that should address the problem. In the meantime, it has advised users to block the problematic port at the network perimeter as a temporary workaround.

Interestingly, the company told customers that the flaw cannot be exploited to “create a DDoS attack.” It also told users that the vulnerability does not allow an attacker to gain control of devices.

However, Troutman, who says Ubiquiti’s suggested workaround could disrupt some services, claims to have seen DDoS amplification attacks, but with a fairly small amplification rate (“56 bytes in, 206 bytes out”). He is also not convinced that it’s not possible to exploit the vulnerability to remotely hack devices.

Advertisement. Scroll to continue reading.

Rapid7 researchers have also monitored these attacks and warned that the problematic service could have other management capabilities either “baked in or nearby.” As for the possibility of DDoS attacks, Rapid7’s Jon Hart noted in a blog post that UDP amplification vulnerabilities can typically allow attacks with an amplification rate that reaches up to 30-35X.

An Internet scan conducted using Rapid7’s Sonar project revealed roughly 490,000 unique devices accessible on UDP port 10001. More than half are located in Brazil, but significant numbers have also been identified in the United States, Spain and other countries.

Location of exposed Ubiquity devices

A majority of the exposed Ubiquiti devices are NanoStation (172,000), AirGrid (131,000), LiteBeam (43,000), PowerBeam (40,000), and NanoBeam (21,000) products.

The names of 17,000 of these devices – they contain the string “HACKED-ROUTER-HELP-SOS” – suggest that they have already been hacked via other vulnerabilities. This is not surprising as Rapid7 claims most of the discovered devices are running outdated versions of the firmware.

Related: Worm Infects Many Ubiquiti Devices via Old Vulnerability

Related: Critical Flaw Exposes Many Ubiquiti Devices to Attacks

Related: Flaw Allows Hackers to Find Ubiquiti Devices Exposed to Web

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...