We have recently released new versions of UAP, UAP-AC, USW, USG firmware and UniFi Network Controller that fixes vulnerabilities found in 4.0.5, 3.8.16, 4.4.33, 5.10.11 and prior, according to the description below:
The encryption protocol between the devices and the controller were using AES-CBC, which is insecure and with enough of these packets a decryption key could be found that allowed a malicious actor to gain control over devices on the network.
These vulnerabilities were fixed in the UniFi Controller v5.10.12 using firmware version 4.0.6 for UAP/USW and 4.4.34 for USG. This is also fixed in UniFi Controller 5.6.42 with firmware 3.8.17 for EOL UAP-AC models.
The changes included in firmware (mentioned above) changes the encryption protocol for communication between Ubiquiti devices and the UniFi Network Controller to the more secure AES-GCM protocol instead of AES-CBC.
UniFi Network Controller prior to 5.10.12 (excluding 5.6.42)
UniFi UAP FW prior to 4.0.6
UniFi UAP-AC, UAP-AC v2, and UAP-AC Outdoor FW prior to 3.8.17
UniFi USW FW prior to 4.0.6
UniFi USG FW prior to 4.4.34
Update to UniFi Controller to at least v5.6.42 or v5.10.12+ and update all devices to versions suggested above.