 Tom here from Lauren Systems. And on October 23rd of 2023, Ubiquiti released a security bulletin for all Dream Machine models to update to the latest unified network version 7.5.187 or later, depending on when you're watching this video. This is the patch for CVE 2023-41721, which has score of 10, which means extremely vulnerable. But before you go into a panic, stop watching this video and make sure you're up to date. Then go ahead and unpause this video and keep watching because I wanna talk about what is affected, which is gonna be the Dream Machine line, what's not affected interestingly, which is the cloud keys and self-hosted models and how this bug was found because I think this is an interesting topic and it kinda shows that Ubiquiti's been quite on top of security, so let's get into it. You'll find links to the pages I referenced down below, but I wanna start with the security advisory bulletin. We're gonna scroll down here. Affected products is just the unified Dream Machine line, not the self-hosted and not the cloud key. This is interesting because I would have assumed whatever mechanism allowed for this flaw to be exploited was also in both of these platforms and we don't have the details yet, which I'll get on later of exactly how to exploit this. We do know it is trivial to exploit because it is a base security store of 10.0 critical. Now there's some discussion here and I think this is the one I wanna highlight, which is does it affect you externally as in can external threat actors exploit this? And the answer is no, unless you've changed your WAN to open up to adoption. So it requires some ports being open on your WAN to allow the adoption of devices. So if you haven't done this, this is not an external threat, it would have to be an internal threat against your land site, which may or may not be a problem for you and if you patch it's not a problem anymore. Now the good news is this wasn't exploited in a while and that's because it was found on Hacker One. Now for those of you not familiar with Hacker One it is a bug bounty program. Companies apply to Hacker One as opposed to having security researchers contact them directly because that can get a little bit challenging at times to validate all the reports. Hacker One is an intermediary who will validate this, work with the security researchers and work with the companies to come to an understanding, make sure that the report is actually valid and it is reproducible. So it's not just a bug that happens sometimes where it's something that really is a serious vulnerability. And when you get a CVS score of 10 that means it is quite the vulnerability and quite trivial to exploit and then ubiquity will pay this out. Now that puts us in the embargo phase where a patch has been released and real threat actors might be looking at the patch to try to reverse engineer what changes were made to the system but the security researcher who found the bug is under a embargo to hold that knowledge of how this gets exploited until some time of disclosure that's agreed upon. This allows the security researcher to give out their data, do a talk, put a blog post together about how they found this flaw but also gives the companies like ubiquity enough time to get enough patches out there that by the time the knowledge gets dropped that we are actually all patched up. Well, hopefully it's a theory. I know not everybody patches right away but you really should. And if you're doing a good job of security like people who watch my channel, I'm sure you're already patched on this. Nonetheless, love hearing from you. Leave your thoughts and comments down below. Like and subscribe to see some more content. And did you even know before this video that ubiquity was involved in hacker one? I think it's really great that they've been participating in this. It shows a commitment they have security. For all the flaws I do complain about with ubiquity security, it's not been one of them in a long time. I even was really patting them on the back, back in the days of log4j. But hey, love hearing from you. Leave your thoughts and comments down below and thanks.