High Severity Vulnerability Patched in Download Manager Plugin

On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites. This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

We attempted to reach out to the developer on July 8, 2022, the same day we discovered the vulnerability. We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day on July 27, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.

Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51

Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.

More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.

At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.

32add_action('before_delete_post', array($this, 'deleteFiles'), 10, 2);
979899100101102103104functiondeleteFiles($post_id, $post){    $files= WPDM()->package->getFiles($post_id, false);    foreach($filesas$file) {        $file= WPDM()->fileSystem->locateFile($file);        @unlink($file);    }}

When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.

This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.

Demonstrating site reset upon download post deletion.

This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.


  • July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence PremiumWordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.
  • July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.
  • July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.
  • August 7, 2022 – Wordfence free users receive the firewall rule.


In today’s post, we detailed a flaw in the “Download Manager” plugin that makes it possible for authenticated attackers to delete arbitrary files hosted on an affected server, which could lead to remote code execution and ultimately complete site compromise. This flaw has been fully patched in version 3.2.51.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Source :

5 Key Things We Learned from CISOs of Smaller Enterprises Survey

New survey reveals lack of staff, skills, and resources driving smaller teams to outsource security.

As business begins its return to normalcy (however “normal” may look), CISOs at small and medium-size enterprises (500 – 10,000 employees) were asked to share their cybersecurity challenges and priorities, and their responses were compared the results with those of a similar survey from 2021.

Here are the 5 key things we learned from 200 responses:

— Remote Work Has Accelerated the Use of EDR Technologies

In 2021, 52% of CISOs surveyed were relying on endpoint detection and response (EDR) tools. This year that number has leapt to 85%. In contrast, last year 45% were using network detection and response (NDR) tools, while this year just 6% employ NDR. Compared to 2021, double the number of CISOs and their organizations are seeing the value of extended detection and response (XDR) tools, which combine EDR with integrated network signals. This is likely due to the increase in remote work, which is more difficult to secure than when employees work within the company’s network environment.

— 90% of CISOs Use an MDR Solution

There is a massive skills gap in the cybersecurity industry, and CISOs are under increasing pressure to recruit internally. Especially in small security teams where additional headcount is not the answer, CISOs are turning to outsourced services to fill the void. In 2021, 47% of CISOs surveyed relied on a Managed Security Services Provider (MSSP), while 53% were using a managed detection and response (MDR) service. This year, just 21% are using an MSSP, and 90% are using MDR.

— Overlapping Threat Protection Tools are the #1 Pain Point for Small Teams

The majority (87%) of companies with small security teams struggle to manage and operate their threat protection products. Among these companies, 44% struggle with overlapping capabilities, while 42% struggle to visualize the full picture of an attack when it occurs. These challenges are intrinsically connected, as teams find it difficult to get a single, comprehensive view with multiple tools.

— Small Security Teams Are Ignoring More Alerts

Small security teams are giving less attention to their security alerts. Last year 14% of CISOs said they look only at critical alerts, while this year that number jumped to 21%. In addition, organizations are increasingly letting automation take the wheel. Last year, 16% said they ignore automatically remediated alerts, and this year that’s true for 34% of small security teams.

— 96% of CISOs Are Planning to Consolidate Security Platforms

Almost all CISOs surveyed have consolidation of security tools on their to-do lists, compared to 61% in 2021. Not only does consolidation reduce the number of alerts – making it easier to prioritize and view all threats – respondents believe it will stop them from missing threats (57%), reduce the need for specific expertise (56%), and make it easier to correlate findings and visualize the risk landscape (46%). XDR technologies have emerged as the preferred method of consolidation, with 63% of CISOs calling it their top choice.

Download 2022 CISO Survey of Small Cyber Security Teams to see all the results.

Source :

Spectre and Meltdown Attacks Against OpenSSL

The OpenSSL Technical Committee (OTC) was recently made aware of several potential attacks against the OpenSSL libraries which might permit information leakage via the Spectre attack.1 Although there are currently no known exploits for the Spectre attacks identified, it is plausible that some of them might be exploitable.

Local side channel attacks, such as these, are outside the scope of our security policy, however the project generally does introduce mitigations when they are discovered. In this case, the OTC has decided that these attacks will not be mitigated by changes to the OpenSSL code base. The full reasoning behind this is given below.

The Spectre attack vector, while applicable everywhere, is most important for code running in enclaves because it bypasses the protections offered. Example enclaves include, but are not limited to:

The reasoning behind the OTC’s decision to not introduce mitigations for these attacks is multifold:

  • Such issues do not fall under the scope of our defined security policy. Even though we often apply mitigations for such issues we do not mandate that they are addressed.
  • Maintaining code with mitigations in place would be significantly more difficult. Most potentially vulnerable code is extremely non-obvious, even to experienced security programmers. It would thus be quite easy to introduce new attack vectors or fix existing ones unknowingly. The mitigations themselves obscure the code which increases the maintenance burden.
  • Automated verification and testing of the attacks is necessary but not sufficient. We do not have automated detection for this family of vulnerabilities and if we did, it is likely that variations would escape detection. This does not mean we won’t add automated checking for issues like this at some stage.
  • These problems are fundamentally a bug in the hardware. The software running on the hardware cannot be expected to mitigate all such attacks. Some of the in-CPU caches are completely opaque to software and cannot be easily flushed, making software mitigation quixotic. However, the OTC recognises that fixing hardware is difficult and in some cases impossible.
  • Some kernels and compilers can provide partial mitigation. Specifically, several common compilers have introduced code generation options addressing some of these classes of vulnerability:
    • GCC has the -mindirect-branch-mfunction-return and -mindirect-branch-register options
    • LLVM has the -mretpoline option
    • MSVC has the /Qspectre option

  1. Nicholas Mosier, Hanna Lachnitt, Hamed Nemati, and Caroline Trippel, “Axiomatic Hardware-Software Contracts for Security,” in Proceedings of the 49th ACM/IEEE International Symposium on Computer Architecture (ISCA), 2022.

Posted by OpenSSL Technical Committee May 13th, 2022 12:00 am

Source :

Securing Port 443: The Gateway To A New Universe

At Wordfence our business is to secure over 4 million WordPress websites and keep them secure. My background is in network operations, and then I transitioned into software development because my ops role was at a scale where I found myself writing a lot of code. This led me to founding startups, and ultimately into starting the cybersecurity business that is Wordfence. But I’ve maintained that ops perspective, and when I think about securing a network, I tend to think of ports.

You can find a rather exhaustive list of TCP and UDP ports on Wikipedia, but for the sake of this discussion let’s focus on a few of the most popular ports:

  • 20 and 21 – FTP
  • 22 – SSH
  • 23 – (Just kidding. You better not be running Telnet)
  • 25 – Email via SMTP
  • 53 – DNS
  • 80 – Unencrypted Web
  • 110 – POP3 (for older email clients)
  • 443 – Web encrypted via TLS
  • 445 – Active Directory or SMB sharing
  • 993 – IMAP (for email clients)
  • 3306 – MySQL
  • 6378 – Redis
  • 11211 – Memcached

If you run your eye down this list, you’ll notice something interesting. The options available to you for services to run on most of these ports are quite limited. Some of them are specific to a single application, like Redis. Others, like SMTP, provide a limited number of applications, either proprietary or open-source. In both cases, you can change the configuration of the application, but it’s rare to write a custom application on one of those ports. Except port 443.

In the case of port 443 and port 80, you have a limited range of web servers listening on those ports, but users are writing a huge range of bespoke applications on port 443, and have a massive selection of applications that they can host on that port. Everything from WordPress to Drupal to Joomla, and more. There are huge lists of Content Management Systems.

Not only do you have a wide range of off-the-shelf web applications that you can run on port 443 or (if you’re silly) port 80, but you also have a range of languages they might be coded in, or in which you can code your own web application. Keep in mind that the web server, in this case, is much like an SSH or IMAP server in that it is listening on the port and handling connections, but the difference is that it is handing off execution to these languages, their various development frameworks, and ultimately the application that a developer has written to handle the incoming request.

With SSH, SMTP, FTP, IMAP, MySQL, Redis and most other services, the process listening on the port is the process that handles the request. With web ports, the process listening on the port delegates the incoming connection to another application, usually written in another language, running at the application layer, that is part of the extremely large and diverse ecosystem of web applications.

This concept in itself – that the applications listening on the web ports are extremely diverse and either home-made or selected from a large and diverse ecosystem – presents unique security challenges. In the case of, say, Redis, you might worry about running a secure version of Redis and making sure it is not misconfigured. In the case of a web server, you may have 50 application instances written in two languages from five different vendors all on the same port, which all need to be correctly configured, have their patch levels maintained, and be written using secure coding practices.

As if that doesn’t make the web ports challenging enough, they are also, for the most part, public. Putting aside internal websites for the moment, perhaps the majority of websites derive their value from making services available to users on the Internet by being public-facing. If you consider the list of ports I have above, or in the Wikipedia article I linked to, many of those ports are only open on internal networks or have access to them controlled if they are external. Web ports for public websites, by their very nature, must be publicly accessible for them to be useful. There are certain public services like SMTP or DNS, but as I mentioned above, the server that is listening on the port is the server handling the request in these cases.

A further challenge when securing websites is that often the monetary and data assets available to an attacker when compromising a website are greater than the assets they may gain compromising a corporate network. You see this with high volume e-commerce websites where a small business is processing a large number of web-based e-commerce transactions below $100. If the attacker compromises their corporate network via leaked AWS credentials, they may gain access to the company bank account and company intellectual property, encrypt the company’s data using ransomware, or perhaps even obtain customer PII. But by compromising the e-commerce website, they can gain access to credit card numbers in-flight, which are far more tradeable, and where the sum of available credit among all cards is greater than all the assets of the small business, including the amount of ransom that business might be able to pay.

Let’s not discount breaches like the 2017 Equifax breach that compromised 163 million American, British and Canadian citizen’s records. That was extremely valuable to the attackers. But targets like this are rare, and the Web presents a target-rich environment. Which is the third point I’d like to make in this post. While an organization may run a handful of services on other ports, many companies – with hosting providers in particular – run a large number of web applications. And an individual or company is far more likely to have a service running on a web port than any other port. Many of us have websites, but how many of us run our own DNS, SMTP, Redis, or another service listening on a port other than 80 or 443? Most of us who run websites also run MySQL on port 3306, but that port should not be publicly accessible if configured correctly.

That port 443 security is different has become clear to us at Wordfence over the years as we have tracked and cataloged a huge number of malware variants, web vulnerabilities, and a wide range of tactics, techniques, and procedures (TTP) that attackers targeting web applications use. Most of these have no relationship with the web server listening on port 443, and nearly all of them have a close relationship with the web application that the web server hands off control to once communication is established.

My hope with this post has been to catalyze a different way of thinking about port 443 and that other insecure port (80) we all hopefully don’t use. Port 443 is not just another service. It is, in fact, the gateway to a whole new universe of programming languages, dev frameworks, and web applications.

In the majority of cases, the gateway to that new universe is publicly accessible.

Once an attacker passes through that gateway, a useful way to think about the web applications hosted on the server is that each application is its own service that needs to have its patch level maintained, needs to be configured correctly, and should be removed if it is not in use to reduce the available attack surface.

If you are a web developer you may already think this way, and if anything, you may be guilty of neglecting services on ports other than port 80 or 443. If you are an operations engineer, or an analyst working in a SOC protecting an enterprise network, you may be guilty of thinking about port 443 as just another port you need to secure.

Think of port 443 as a gateway to a new universe that has no access control, with HTTPS providing easy standardized access, and with a wide range of diverse services running on the other side, that provide an attacker with a target and asset-rich environment.

Footnote: We will be exhibiting at Black Hat in Las Vegas this year at booth 2514 between the main entrance and Innovation City. Our entire team of over 30 people will be there. We’ll have awesome swag, as always. Come and say hi! Our team will also be attending DEF CON immediately after Black Hat.

Written by Mark Maunder – Founder and CEO of Wordfence. 

Source :

UI Expands Lab With Anechoic Chambers to Deliver Products Faster

Ubiquiti’s Salt Lake City-based engineering team has expanded its regulatory compliance and engineering development laboratory to include state-of-the-art anechoic chambers: the 10/5/3 m Multi-Axis Anechoic Chamber & the 3 m Anechoic Dome-Roofed Chamber.

This laboratory expansion gives us capabilities to speed up product development cycles, ensuring product quality and improving our time to market in a growing number of countries.

10/5/3 m Multi-Axis Anechoic Chamber

Chamber 1: Frankonia SAC-10 Plus Triton chamber with three measurement axes

The Frankonia SAC-10 Plus Triton chamber (19.21 m x 12.08 m x 8.18 m) is the top-of-the-line model from the manufacturer. It’s the only one of its kind in the world outside the manufacturer’s lab.

The specialized “Triton” form factor allows us to have three different emission and immunity test setups in place at once:

  • Test Axis 1: Low-frequency emissions compliant with ANSI C.63.4 + CISPR 16-1-4 (NSA)
  • Test Axis 2: High-frequency and RF emissions compliant with ANSI C.63.10 + CISPR 16-1-4 (SVSWR)
  • Test Axis 3: Radiated RF Immunity compliant with IEC/EN61000-4-3 (FU)

With this setup, our engineers can perform the required electromagnetic interference (EMI) and electromagnetic susceptibility (EMS) procedures with reduced setup changes, saving hours of time with each iterative test. Keeping the same setup in place reduces the time needed to complete the tests and makes them reproducible.

The Device Under Test (DUT) is placed on a non-reflective (styrofoam) table on top of a rotating turntable. Extensive test automation actuates the test equipment, antennas, and turntable while performing the required tests at all angles.

Anechoic chambers offer excellent isolation against interference from the surrounding environment. Carefully designed and positioned absorbers significantly remove radio frequency (RF) reflections. The SAC-10 Plus Triton chamber provides a 9 kHz to 40 GHz measurement frequency range. The metal exterior shielding provides over 100 dB of attenuation from the outside world.

How much is 100 dB attenuation in practice? Consider a case with a tower-top macro LTE base station that has high-gain antennas at a distance of 5 m from the chamber. To get service inside the chamber, the phone needs at least -100 dBm signal level. With a typical equipment setup, the signal level remains below -100 dBm inside the chamber and there is no LTE service.

3 m Dome-Roofed Anechoic Chamber

Chamber 2: Frankonia SAC-3 Plus 3 m chamber with AmpliFi on the rotating measurement table

The other newly constructed chamber, the Frankonia SAC-3 Plus L (9.23 m x 6.53 m x 6.00 m), is a versatile, fully compliant Electromagnetic Compatibility (EMC) testing room. We use this chamber for emissions and immunity testing in parallel with the larger SAC-10 chamber.

The dome-shaped roof design combined with RF absorbers minimizes reflections and offers excellent measurement performance. The SAC-3 chamber provides over 110 dB isolation from the outside world. Similar to the larger chamber room, the fully automated test routines control the turntable and antenna height, as well as run the test equipment.

Anechoic — No Reflections

Electromagnetic waves are absorbed by the pyramid-shaped structures

Anechoic chambers provide significantly reduced reflections and external interference levels, making measurements repeatable and accurate.

Electromagnetic waves propagate, reflect, and refract differently depending on the frequency and surrounding structures. The following techniques are important for RF and anechoic chamber designs.

Design techniques for RF and anechoic chambers

While our chambers provide a drastic reduction in RF reflections, they are not intended to be completely anechoic by design (i.e. semi-anechoic).

Performing measurements in an anechoic chamber have certain unique consequences. Multiple-input, multiple-output (MIMO) technology used in Wi-Fi relies on multiple spatial signal paths created by reflections. Performance measurements, for example, throughput, require adding metallic RF-reflecting materials inside the chamber. Even in a perfect interference-free environment, in the absence of reflections and multipath propagation, Wi-Fi throughputs are low.

Control Room Hosts Test Equipment

Control room with test equipment

When a chamber’s door is closed, engineers work in the shielded control room with test equipment next to the chamber and oversee test progress. This eliminates any potential source of emissions from interfering with testing. Cameras inside the chamber help ensure the test setup remains intact with automated DUT position and antenna adjustments.

Accredited Accuracy, Shorter Time to Market

Governments heavily regulate RF, EMC, and safety testing. The Federal Communications Commission (FCC); Innovation, Science and Economic Development Canada (ISED); European Union directives (CE Mark), regulate RF devices and potential interference to licensed operations respectively for the US, Canada and European Union.

Since all regions and countries have their own regulations, the resulting testing effort for each new product is significant. The Salt Lake City lab’s new accreditation by the National Voluntary Laboratory Accreditation Program (NVLAP) of the National Institute of Standards and Technology (NIST) means our engineers can perform a broad range of performance and regulatory compliance tests quickly expediting product’s time-to-market.

These are the most common test requirements:

  • RF parameters
    • RF performance, limits, and requirements for transmitters
  • Radiated and conducted emissions
    • Limits unintentional emissions across various frequency bands and test mode
  • Radiated and conducted immunity
    • Test for product susceptibility to external radio energy, ensuring product reliability
  • Static discharge, surge, and fast transient immunity
    • Ensures that various magnitudes and types of voltage and current spikes can be withstood by the product without degradation of performance or abnormal behavior
  • Product safety
    • Tests to ensure international safety standards are met or exceeded to reduce the hazard to humans and the environment

      Source :

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to honor something almost no one wants to deal with—like having a holiday for filing your income taxes (actually, that might be a good idea). But in today’s world of online work, school, shopping, healthcare, and almost everything else, keeping our accounts secure is more important than ever. Passwords are not only hard to remember and keep track of, but they’re also one of the most common entry points for attackers. In fact, there are 921 password attacks every secondnearly doubling in frequency over the past 12 months.2

But what if you didn’t have to deal with passwords at all? Last fall, we announced that anyone can completely remove the password from their Microsoft account. If you’re like me and happy to ditch passwords completely, read on to learn how Microsoft is making it possible to start enjoying a passwordless life today. Still, we know not everyone is ready to say goodbye to passwords, and it’s not possible for all your online accounts. We’ll also go over some easy ways to improve your password hygiene, as well as share some exciting news from our collaboration with the FIDO Alliance about a new way to sign in without a password.  

Free yourself with passwordless sign-in

Yes, you can now enjoy secure access to your Microsoft account without a password. By using the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email, you can go passwordless with any of your Microsoft apps and services. Just follow these five steps:

  1. Download and install Microsoft Authenticator (linked to your personal Microsoft account).
  2. Sign in to your Microsoft account.
  3. Choose Security. Under Advanced security options, you’ll see Passwordless account in the section titled Additional security.
  4. Select Turn on.
  5. Approve the notification from Authenticator.
User interface of Microsoft Authenticator app providing instructions on how to turn on passwordless account option.
Notification from Microsoft Authenticator app confirming user's password has been removed.

Once you approve the notification, you’ll no longer need a password to access your Microsoft accounts. If you decide you prefer using a password, you can always go back and turn off the passwordless feature. Here at Microsoft, nearly 100 percent of our employees use passwordless options to log into their corporate accounts.

Strengthen security with multifactor authentication

One simple step we can all take to protect our accounts today is adding multifactor authentication, which blocks 99.9 percent of account compromise attacks. The Microsoft Authenticator app is free and provides multiple options for authentication, including time-based one-time passcodes (TOTP), push notifications, and passwordless sign-in—all of which work for any site that supports multifactor authentication. Authenticator is available for Android and iOS and gives you the option to turn two-step verification on or off. For your Microsoft Account, multifactor authentication is usually only needed the first time you sign in or after changing your password. Once your device is recognized, you’ll just need your primary sign-in.

Microsoft Authenticator screen showing different accounts, including: Microsoft, Contoso Corporation, and Facebook.

Make sure your password isn’t the weak link

Rather than keeping attackers out, weak passwords often provide a way in. Using and reusing simple passwords across different accounts might make our online life easier, but it also leaves the door open. Attackers regularly scroll social media accounts looking for birthdates, vacation spots, pet names and other personal information they know people use to create easy-to-remember passwords. A recent study found that 68 percent of people use the same password for different accounts.3 For example, once a password and email combination has been compromised, it’s often sold on the dark web for use in additional attacks. As my friend Bret Arsenault, our Chief Information Security Officer (CISO) here at Microsoft, likes to say, “Hackers don’t break in, they log in.”

Some basics to remember—make sure your password is:

  • At least 12 characters long.
  • A combination of uppercase and lowercase letters, numbers, and symbols.
  • Not a word that can be found in a dictionary, or the name of a person, product, or organization.
  • Completely different from your previous passwords.
  • Changed immediately if you suspect it may have been compromised.

Tip: Consider using a password manager. Microsoft Edge and Microsoft Authenticator can create (and remember) strong passwords using Password Generator, and then automatically fill them in when accessing your accounts. Also, keep these other tips in mind:

  • Only share personal information in real-time—in person or by phone. (Be careful on social media.)
  • Be skeptical of messages with links, especially those asking for personal information.
  • Be on guard against messages with attached files, even from people or organizations you trust.
  • Enable the lock feature on all your mobile devices (fingerprint, PIN, or facial recognition).
  • Ensure all the apps on your device are legitimate (only from your device’s official app store).
  • Keep your browser updated, browse in incognito mode, and enable Pop-Up Blocker.
  • Use Windows 11 and turn on Tamper Protection to protect your security settings.

Tip: When answering security questions, provide an unrelated answer. For example, Q: “Where were you born?” A: “Green.” This helps throw off attackers who might use information skimmed from your social media accounts to hack your passwords. (Just be sure the unrelated answers are something you’ll remember.)

Passwordless authentication is becoming commonplace

As part of a historic collaboration, the FIDO Alliance, Microsoft, Apple, and Google have announced plans to expand support for a common passwordless sign-in standard. Commonly referred to as passkeys, these multi-device FIDO credentials offer users a platform-native way to safely and quickly sign in to any of their devices without a password. Virtually unable to be phished and available across all your devices, a passkey lets you sign in simply by authenticating with your face, fingerprint, or device PIN.

In addition to a consistent user experience and enhanced security, these new credentials offer two other compelling benefits:

  1. Users can automatically access their passkeys on many of their devices without having to re-enroll for each account. Simply authenticate with your platform on your new device and your passkeys will be there ready to use—protecting you against device loss and simplifying device upgrade scenarios.
  2. With passkeys on your mobile device, you’re able to sign in to an app or service on nearly any device, regardless of the platform or browser the device is running. For example, users can sign in on a Google Chrome browser that’s running on Microsoft Windows, using a passkey on an Apple device.

These new capabilities are expected to become available across Microsoft, Apple, and Google platforms starting in the next year. This type of Web Authentication (WebAuthn) credential represents a new era of authentication, and we’re thrilled to join the FIDO Alliance and others in the industry in supporting a common standard for a safe, consistent authentication experience. Learn more about this open-standards collaboration and exciting passwordless capabilities coming for Microsoft Azure Active Directory in a blog post from Alex Simons, Vice President, Identity Program Management.

Helping you stay secure year-round

Read more about Microsoft’s journey to provide passwordless authentication in a blog post by Joy Chik, Corporate Vice President of Identity. You can also read the complete guide to setting up your passwordless account with Microsoft, including FAQs and download links. And be sure to visit Security Insider for interviews with cybersecurity thought leaders, news on the latest cyberthreats, and lots more.

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.

Source :

Discover Your Perfect Console with the New UniFi OS Resource Calculator

Your UniFi deployment is only as good as the planning behind it. There are two important questions to consider as you build your dream system and determine how to optimize its performance. The first is whether or not your equipment can be seamlessly integrated into your space. 

We have you covered there with our Design Center, the interactive visualization tool that allows you to map out a custom network uniquely suited for your location. Check out our brief video overview to learn more.

The UniFi product suite is vast, cohesive, and designed to be highly scalable so you can build and support networks of any size. That means you have myriad options when it comes to choosing your ideal devices, applications, and functionality, so we strongly recommend taking your time during the planning process. Once you’ve finalized your deployment, then comes the all-important follow-up question:

Do I have what I need to run all of this?

With that in mind, we’re very excited to introduce the UniFi OS Console Resource Calculator: a brand-new modal that not only provides console-specific processing and memory caps with a single click, but gives dynamic approximations of how well each console can support various deployment types.

Granularity is the name of the game with our new calculator. Our top priority is ensuring that every user can fully capture each component of their system so they know exactly what console is right for them. After selecting a console and the applications it will run, you have a wealth of customization options to help you specify how many devices you’re connecting, how they will function, and whether or not they will have advanced configurations.

As you make your adjustments, you’ll see how each console’s CPU and memory are impacted, helping you determine whether you’ve chosen the right model or you require one with higher specs. Take a look at the calculator in action in our April edition of Ubiquiti Insider:


Simplifying IT isn’t just about making networking technology more accessible and intuitive; it’s about giving users a deeper understanding of how their system works and what’s needed to support it. We’re very proud of this new innovation because it’s directly tied to our greatest pursuit: delivering the best system performance and user experience possible.

We really can’t wait for you to try the resource calculator, so take it for a spin here and let us know what you think on the Ubiquiti Community forum. Also, be sure to check back soon for more news on the ever-expanding world of UniFi!

Source :

UniFi – USW: Which SFP Modules Can be Used

The Ubiquiti UFiber modules are officially supported and compatible with all EdgeSwitch, EdgeRouter, UniFi Switch, UniFi Dream Machine Pro and UniFi Security Gateway models that have SFP or SFP+ ports. Multi-mode and single-mode SFP and SFP+ models are available, including single-mode BiDi models.

SKU (Model)1G (SFP)10G (SFP+)25G
UDC-1 (1m)UDC-2 (2m)UDC-3 (3m)* 
UC-DAC-SFP+ (0.5m)* 
UC-DAC-SFP28 (0.5m)  **

*Ports can be set manually to 1000mbps for compatibility between SFP+ and SFP ports. |  ***SFP28 to SFP28 (max data rate 25Gbps)

The list below includes third-party SFP/SFP+ transceivers that have been tested by community members. Please note that these should work, but we cannot assure that they will. Some modules will have multiple hardware revisions, and while one revision may work (i.e. 1.0), it’s possible that a newer revision (i.e. 1.1, 1.2, etc.) of the same module may not work.

We do, however, offer direct support for our own modules.

  • Addon 1000BASE-LX SFP MMF
  • Addon 1000BASE-SX SFP MMF
  • Brocade  10G-SFPP-TWX-0101
  • Cisco GLC-LH-SM 30-1299-01 SFP
  • Cisco GLC-SX-MM
  • Cisco GLC-SX-MM 1000BASE-SX SFP
  • Cisco SFP-H10GB-CU1M
  • Dell FTLF1318P3BTL
  • Dell FTLF8519P2BNL
  • Dell FTLX1371D3BCL
  • Dell FTLX8571D3BCL
  • FCI 10110818-2030LF
  • Finisar FTLF8524P2BNL
  • HP J4858C
  • MaxxWave MX-SX-MM-US 10G + 1.25G
  • MGB-SX 1000Base-SX
  • Mikrotik S-3553LC0D
  • Mikrotik S+31DLC10D
  • Mikrotik S+85DLC03D
  • Solid-Optics ‘SFP-GE-L-SO’ 1000Mbps
  • SourceLight SLS-1285-S5-D


  • FiberStore SFP1G-LX-31 1310nm (Single-mode SFPs): with the 8-Port switch set the Negotiation to 1G fixed. On the 24-port autonegotiation works fine.
  • Finisar FTLX1471D3BCV (dual rate – single-mode)
  • HP J4859B – (Finisar FTRJ1319P1BTL-PT Rev A)
  • HP J4859C – (Intel TXN221200000005) – no OTDR output (show fiber-ports optical-transceiver all)


  • Cisco MGBSX1 Gigabit SX Mini-GBIC SFP Transceiver
  • Fiberstore SFP-1G85-5M (multi-mode)
  • Finisar FTLF8524P3BNL (multi-mode)
  • HP J4858A (3rd party) – (FINISAR FTRJ-8519-7D) – no OTDR output


  • Cisco GLC-T – (CISCO-FINISAR FCMJ-8521-3-CSC Rev 4)
  • Delta LCP-1250RJ3SR – (DELTA LCP-1250RJ3SR Rev 0000) 
  • Fiberstore SFP-GB-GE-T Module
  • Mikrotik S-RJ01 (not compatible)


  • Finisar FTLX1471D3BCV (dual rate – single-mode)


  • Cisco SFP-10G-SR
  • Fiberstore SFP-10G85-3M (multi-mode)
  • Finisar FTLX8571D3BCL (multi-mode)


  • Addon SFP-10G-PDAC1M-AO
  • Juniper ex-sfp-10ge-dac-1m – (Amphenol 584990001 Rev A)
    • This is a 10g DAC that appears to link up at 1g when both ends are plugged into the two SFP slots of the ES-24-250W
    • I haven’t tested sending traffic over this cable, as I only have one ES-24-250W, and Juniper equipment wants to link up at 10g when using this DAC
  • MikroTik S+DA0001
  • Molex 74742-0001
  • Fibrestore 10G DAC cables

The following SFP/SFP+ transceivers have been tested by community members, but may not work reliably. They are not recommended for use with UniFi switch.

  • TP-LINK TL-SM311LS ** may not work on newer firmware, may also depend on module version
  • TP-LINK TL-SM311LM ** may not work on newer firmware, may also depend on module version

    Source :

UniFi – Supported PoE Output and Input Modes


This article provides tables with information on the supported Power over Ethernet (PoE) output and input modes for Ubiquiti UniFi Switches, Access Points, Cloud Keys and Cameras.NOTES & REQUIREMENTS:

  • See each device’s Datasheet, available in their store product page or in the Downloads section, for more information on the supported PoE modes.
  • See our PoE Adapters page for more information on Ubiquiti PoE adapters/injectors that can be used to power on devices.
  • There is more information on PoE in the Power Over Ethernet (PoE) article.

Table of Contents

  1. Introduction
  2. UniFi Switches – Supported PoE Output Modes
  3. UniFi Access Points – Supported PoE Input Modes
  4. UniFi Cloud Key – Supported PoE Input Modes
  5. UniFi Cameras – Supported PoE Input Modes
  6. UniFi Switches – Supported PoE Input Modes
  7. Related Articles


One of the challenges with large PoE deployments is figuring out how to provide power to your UniFi Access Points. When you have many access points it becomes less viable to power devices using AC PoE injectors. With non-PoE capable switches, you can add a Midspan device which acts as a collection of individual PoE injectors by receiving Ethernet from the switch with only data being transmitted and adding power out over Ethernet through the connection. Such a piece of equipment takes up additional space on your rack, while also costing you a lot of money.

To help with such deployments, UniFi Switches come in a few different models with varying numbers of ports from 8, 16, 24 and 48. These switches are endspan devices as they act as both the switch and provide PoE to devices. UniFi switches give you greater functionality when used with the different UniFi Access Point (UAP), UniFi Dream Machine (UDM), and UniFi Security Gateway (USG) models, and cost well under the amount of the midspan device alone.

UniFi Switches – Supported PoE Output Modes

Ubiquiti devices use Active PoE output. This means that the voltage the Powered Device (PD) needs is negotiated. There are three output modes:

  • PoE: Uses IEEE 802.3af standard to deliver up to 15.4W.
  • PoE+: Uses IEEE 802.3at standard to deliver up to 30W.
  • PoE++: Uses IEEE 802.3bt standard to deliver up to 60W.

Different switches provide different output methods, so it’s important to learn what power method the UniFi switches support and compare it with the power method needed to power the different UniFi devices: eg. UniFi access points, cameras or Cloud Keys.

It’s important to note that each switch has a maximum power consumption which should be considered when powering multiple UniFi devices via PoE. For example, a US-16-150W has a 150W maximum power consumption, even though it has 16 ports. The UAP-HD has a maximum power consumption of 17W. Therefore, if you were to power 16 UAP-HD on a US-16-150W, there is a possibility that the wattage could exceed what the switch is capable of supplying in certain conditions. Find each device’s power consumption in their Datasheets, found in the Downloads page, within each product’s Documentation section.

USW-Pro-48-PoE(Ports 41-48)
USW-48-PoE(Ports 1-32)(Ports 1-32)
USW-Pro-24-PoE(Ports 17-24)
USW-24-PoE(Ports 1-16)(Ports 1-16)
USW-16-PoE(Ports 1-8)(Ports 1-8)
USW-Lite-16-PoE(Ports 1-8)(Ports 1-8)
USW-Lite-8-PoE(Ports 1-4)– 
USW‑Industrial(Ports 1-8)(Ports 1-8)(Ports 1-8)
US-8(Port 8)– – 
US-8-60W(Ports 4-8) –– 
US-8-150W –
USW-Flex – – 

UniFi Access Points – Supported PoE Input Modes

UAP-AC-LR** (Mode A)–  –
UAP-AC-LITE*** (Mode A) –– 
UAP-AC-M (Mode A) –– 
UAP-nanoHD– – 
UAP-XG–  –

NOTES: * The IW models only support PoE Pass-Through when powered by 802.3at.** UAP-AC-LRs with a date code prior to 1634 or board revision before 17 only support 24V passive PoE.
*** UAP-AC-LITEs with a date code prior of 1634 or board revision before 33 only support 24V passive PoE.


Legacy Devices – Power Methods

UAP– – – 
UAP-LR – –– 
UAP-AC– – 
UAP-AC-Outdoor– – 
UAP-Outdoor –– – 
UAP-Outdoor5– –  –
UAP-IW** –

NOTE: * The UAP-IW only supports PoE Pass-Through when powered by 802.3at.

UniFi Cloud Key – Supported PoE Input Modes

UC‑CK–  –
UCK-G2 –– 

UniFi Cameras – Supported PoE Input Modes

UVC-G3–  –
UVC-G3-AF–  –

NOTE: * Supported when using the included 802.3af Instant PoE Adapter. See the QSG for more information. 

UniFi Switches – Supported PoE Input Modes

US-8 – 
USW-Flex-Mini – 

Source :

UniFi – UAP Antenna Radiation Patterns

Use this article to compare the different antenna radiation patterns of our UniFi Access Points. For an explanation on how to read antenna radiation patterns see UniFi – Introduction to Antenna Radiation Patterns.

About Radiation Patterns

Radiation patterns can be used to better understand how each Ubiquiti UniFi access point model broadcasts wireless signal. These patterns are what antenna engineers call reciprocal—in that the transmit-power (the capability of the AP to ‘speak’) will be highest at the peaks, and so will the receive-sensitivity (the capability of the AP to ‘hear’).

Please note that these radiation patterns are gathered in a fully anechoic environment. Their shape, peak gain/directivity and efficiency will change in installed environments. Every deployment will behave differently due to interference, materials, geometries of structures, and how these materials behave at 2.4GHz and 5GHz.

With that in mind, use these radiation plots as a “general guide” to identify where most of the energy (and receive sensitivity) of the UniFi APs is being directed; but keep present that the ultimate way to know how successful the coverage design is—is to measure it. Measure signal strength and coverage before (with mock positioning), during (as you install), and after to guarantee that you have the coverage you want—and don’t have the coverage you don’t want (for example with self-interference: APs hearing each other or other AP stations on the same channel).

Radiation Plot Format

Radius represents ‘elevation’, with 0° representing antenna gain straight under the AP, and 90° representing antenna gain at horizon. The degrees on the circumference represent ‘Azimuth’. That is to say, left/right/front/back of the AP, when mounted overhead.

Comparison Table

Use this table to compare the radiation patterns of each UAP. The first column shows where the respective colored dots found in each radiation plot is placed in the actual devices. Note that colored dots in the plots might be in the outer perimeter or closer to center.

Note: Varying scales are represented in the graphs below. Consider each graph individually and take note of scale when comparing products.

Directional color dots on device5GHz LowFrequency5GHz MidFrequency5GHz HighFrequency2.4GHzFrequency
UniFi6_dots.pngU6-Lite plot.U6-Lite.5.15GHz.pngplot.U6-Lite.5.50GHz.pngplot.U6-Lite.5.85GHz.pngplot.U6-Lite.2.45GHz.png
UDM_dots.pngUDMUDM_5.15GHz.png UDM_5.50GHz.png UDM_5.85GHz.png UDM_2.45GHz.png 
UWB-XGUWB-XG High 5.2GHz.png(High Gain)UWB-XG High 5.5GHz.png(High Gain)UWB-XG_High_5.8GHz.png(High Gain)The UWB-XG models do not operate on the 2.4GHz band.
UAP-FlexHD_dots.pngUAP-FlexHDFlexHD_5.15GHz.png FlexHD_5.50GHz.png FlexHD_5.85GHz.png FlexHD_2.45GHz.png 
UAP-IW-HDplot.UAP-AC-IW-HD_-_Summary_Plot_-_5.15GHz.png plot.UAP-AC-IW-HD_-_Summary_Plot_-_5.50GHz.pngplot.UAP-AC-IW-HD_-_Summary_Plot_-_5.85GHz.png plot.UAP-AC-IW-HD_-_Summary_Plot_-_2.45GHz.png
UAP-XGUAP-XG 5.2GHz.pngUAP-XG 5.5GHz.pngUAP-XG_5.8GHz.pngUAP-XG_2.45GHz.png
UAP-AC-M UAP-AC-M_5.20GHz.jpgUAP-AC-M_5.50GHz.jpgUAP-AC-M_5.80GHz.jpgUAP-AC-Mesh_2.45GHz.png

Model Summary Plots

This section includes a graphic summary for each UniFi Access point shown in the table above, portraying radiation plots for Azimuth, Elevation 0°, Elevation 90° and Mapped 3D.U6 Lite




U6 Pro


U6 Mesh



High Gain


Low Gain


























Note: The antennas for the UAP-AC-M were angled at 45° to generate the plots as shown in the images above.UAP-AC-M-PRO





Antenna Files (.ant)

Please note the data in the .ant files below was extracted from full model simulations. Clicking on the links in the following table will prompt the immediate download of the .ant file.

UniFi Access Point ModelDownloadable Antenna Files (.ant)
UAP-AC-IW-Pro UAP-AC-IW-Pro.zip  

Source :