Critical Privilege Escalation in Ubiquiti UniFi OS - CVE-2026-47369

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive data via a path traversal flaw (CWE-22). The high CVSS 8.6 score reflects a scope change with high confidentiality impact, indicating that disclosed data can affect resources beyond the vulnerable component itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Improper access control in Ubiquiti UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to UniFi Dream Machine, Cloud Gateway, and Express gateway devices under certain network configurations. The flaw, scored CVSS 8.1 with full CIA impact, requires no authentication (PR:N) but has high attack complexity (AC:H), and no public exploit identified at time of analysis. Disclosed via HackerOne and addressed in Ubiquiti Security Advisory Bulletin 065.