For the past 48 hours or so, I’ve been getting alerts on my Unifi Gateway controller about a blocked threat coming from my Roon Nucleus and going to the Unifi Gateway. I know these can be false positives, so I wanted to see if anyone else is seeing something similar or knows anything about it.
IPS Alert 1: Attempted Administrator Privilege Gain. Signature ET WEB_SPECIFIC_APPS D-Link SSDP ST Header Command Injection Attempt (CVE-2025-10629). From: 192.168.0.72:51105, to: 192.168.1.1:1900, protocol: UDP
Roon Nucleus Info:
OS: Version 2.1 (build 271) production
Server Software: Version 2.54 (build 1554) production
Roon Labs Software: Version 1.0 (build 18) production.
I’m seeing the exact same log messages on my UniFi Gateway - The gateway is blocking the traffic automatically, but it’s still concerning to see…
It only happens when the Roon Server is running, and I’ve done a clean rebuild of the OS and re-install of the latest Roon Server build, but I’m still seeing these messages in the firewall.
Interestingly the traffic from Roon is only targetting 2 specific devices on my network, both of which are network gateway devices, one a Philips Hue Bridge, and the other is a GIRA KNX/IP bridge.
OS - Ubuntu 24.04.3 LTS
Server Software: Version 2.54 (build 1554) production
I’m trying not to read too much into this, but the fact that this appears to be an identified vulnerability in D-Link routers and my Roon Nucleus is attempting to exploit it, is a bit concerning.
I run 3 different Roon servers (2 on Ubuntu Server 24.04.3 LTS, 1 on macOS) on 3 separate locations with UniFi routers (1 UDM Pro, 2 UCG Ultra). Just checked logs, no alerts.
Steve, are you seeing attempts to connect to specific devices on your network, or are the connection attempts more random?
On my network the connection attempts are only to 2 specific devices, both of which are types of network gateway device (IP<->Hue & IP<->KNX), which makes me wonder if these devices are responding to Simple Service Discovery Protocol Service requests?
Perhaps related to Roon Server doing periodic device discovery on the network?
It would be good to have an answer from Roon as to why this is happening - is it a valid problem, or a false positive in the firewall rule?
The fact that you still see this after reinstalling the Roon Server is probably a strong hint at a false positive, but confirmation from Roon Labs would be preferable.
As such, the thread would ideally be moved to Support, I guess, as support staff doesn’t monitor the Roon Software Discussion variety of the forum.
I could do that but I’ll ask the moderators for advice by flagging my post here after saving it.
AceRimmer
("I’m not just a hero; I’m a legend!")
8
Agreed, lets see what @support have to say next week.
Thank you.
I don’t know if they are running the same version as Nucleus. They are up to the latest early access from Roon, though. I don’t have the CyberSecure paid subscription.
I am seeing the same erts on my unify gateway coming from my Roon Nucleus One, targeting my ISP gateway. This behavior is relatively new, about a week or so. I think someone should look into it, because it looks a lot like an exploit.
Could it be a false alarm caused by an innocent change to the Nucleus? Intrusion detection has false positives and false negatives.
Another thing to keep in mind is that the Nucleus has its own custom Linux distro, whose behavior may have changed in ways that those of us running Roon on standard Linux distros might not see.
Anyway, whether innocent or malicious, the change deserves a look from the Roon folks.
Hello, I have no Idea what a Roon Nucleus is. I am getting the same alert on my Unifi Gateway from one of my machines. This is the only place on the internet that I am seeing this discussion, so I created an account just to reply to this thread. At first this was happening from one machine, a windows laptop. I wiped it and it went away. Then the alert starting appearing from a windows desktop machine. I have no idea what it is. This is a new CVE and there is very little on what it is doing or where it came from. Same thing, an alert from a machine to my router. For me it happens every hour or so. It started happening in the last week. I think it is unconnected to having a roon nucleus. I do not see any other discussion happening anywhere, such as the unifi forums either.
I’m having the same issue. I have the Roon server 2.54 (build 1554) in a Debian 12 VM, and every 11 minutes it’s tripping my UniFi saying “Network intrusion detected”. It alternates the target as either my Phillips Hue or my Synology NAS (which is not the NAS I use for my Roon media). This started September 19 at 1055 UTC.
Curiously, it was also firing from a Windows 11 PC which had the desktop client open, as well. But systemically, it would only happen every 11 minutes, regardless of which computer was originating it. Those attempts stopped when I closed the desktop client, but still have the RAATserver open.
Sample log. It doesn’t seem to repeat a pattern, just pulling a couple of lines.
I have Synology NAS server. I have never used a Roon server. To add to this. Neither of the two machines that threw this alert have interacted with the Synology server directly. They do not have direct access and do not have any management software for the server on them. The traffic going to the router does so over udp on port 1900. Pretty much identical to the OP.
I am going to see if I can catch the traffic and trace it using an interactive firewall.
However, it’s interesting that you see this without having a Roon server because that’s a further hint that it’s a) not really related to Roon servers and b) smells like a false positive
It appears to be a recently identified trace and it could be benign. The fact that Unifi started reporting it a week ago may be due that’s when it was flagged as a security concern and not a Nucleus software change.
Aside from being concerning, it’s also annoying. I now have over 4,000 threat alerts over the past few days. It’s relentless and I get an alert on my phone every time.
A network trace with packets inspection using something like wireshark could be helpful. Alas, that’s beyond my abilities.
This is almost certainly a false positive from your UniFi gateway’s Intrusion Prevention System (IPS).
Roon is behaving perfectly normally. It uses the standard SSDP protocol (on UDP port 1900) to discover audio devices on your network.
The threat signature that’s being triggered, ET WEB_SPECIFIC_APPS D-Link... (CVE-2025-10629), is designed to catch an attack on old, unrelated D-Link routers. Your Roon’s legitimate discovery packet just happens to look similar enough to this attack pattern to accidentally set off the alarm.
The Solution:
The best way to fix this is to create a threat management “allow list” rule in your UniFi Controller to specifically permit this traffic.
Source:192.168.yy.хх (your Roon Core)
Destination:192.168.yy.1 (your UniFi Gateway)
Protocol/Port:UDP/1900
This will stop the alerts without compromising your network’s security. In short, your Roon Core is safe and is not attacking your gateway.
