News & Events

Security Alert: Ubiquiti Networks Airmax malware in the wild.

Over the weekend a security issue has emerged with Ubiquiti Networks AirMAX radios running unpatched versions of firmware from last year that are vulnerable to a HTTP/HTTPS authentication bypass. This has turned nasty for some networks over the weekend as several malware variants have emerged that specifically target these unpatched radios if they are too easily accessible from the internet.

Details are available in the UBNT community thread here: http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

With specific troubleshooting steps in the post here: http://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/m-p/1563869#M55108

Devices that are directly connected to the internet (via port forwards) or not within a private management network are vulnerable.

If you have a device with a firmware revision lower than the versions below you should upgrade to the latest stable firmware as soon as possible:

  • airMAX M

    • 5.5.11 XM/TI
    • 5.5.10u2 XM
    • 5.6.2+ XM/XW/TI

  • AirMAX AC

    • 7.1.3+

  • ToughSwitch

    • 1.3.2

  • airGateway

    • 1.1.5+

  • airFiber

    • 2.2.1+ AF24/AF24HD
    • 3.0.2.1+ AF5x 

If you have been affected by the malware referenced in the attached posts, a removal tool has been created by ubiquiti.

More generally, network security principles should be applied to any device you install for your customers:

  • Always change default passwords: There are many databases online that allow malicious actors to search for the default passwords for just about all vendor equipment from photocopiers to APs to NVRs.
  • Try to place sensitive devices into a private management VLAN or subnet and firewall them off to only a few select admin only IP addresses rather than allowing them to be accessed by all locations on your network.
  • If you require remote access to a customer site, a VPN connection to a firewall is more secure than port forward rules, as the security surface area is a single firewall device and not the many forwarded devices (with all the combinations of firmware and bugs that entails).