Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.
Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later
AnalysisAI
Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av
Technical ContextAI
The vulnerability stems from improper input validation (CWE-20) in UniFi Play network audio devices, specifically the PowerAmp and Audio Port products manufactured by Ubiquiti. These are networked audio management devices designed for commercial audio distribution systems. The input validation failures allow attackers to inject operating system commands through network-accessible interfaces. Command injection vulnerabilities typically arise when user-supplied data is passed to system shells without proper sanitization, allowing metacharacters (like semicolons, pipes, or backticks) to break out of intended command contexts and execute arbitrary code. The affected CPE identifiers (cpe:2.3:a:ubiquiti_inc:unifi_play_poweramp and cpe:2.3:a:ubiquiti_inc:unifi_play_audio_port) indicate these are application-level vulnerabilities in Ubiquiti's firmware. The CVSS vector AV:N indicates these devices expose vulnerable interfaces over the network, likely through web management consoles or API endpoints common in IoT audio equipment.
RemediationAI
Organizations should immediately upgrade affected devices to patched firmware versions. Vendor-released patch: upgrade UniFi Play PowerAmp to version 1.0.38 or later, and upgrade UniFi Play Audio Port to version 1.1.9 or later. Firmware updates should be obtained from Ubiquiti's official community portal at https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83. As interim risk mitigation if immediate patching is not feasible, restrict network access to UniFi Play device management interfaces using firewall rules or VLANs, ensuring only trusted administrative networks can reach these devices. Disable remote management features if not operationally required. Implement network monitoring to detect unusual command execution or outbound connections from these devices. Given the PR:N attack vector, no authentication-based controls will prevent exploitation, making patching the only complete remediation.
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow
A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac
A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi
Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra
Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22092
GHSA-6rpc-86fm-9prv