Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (hackerone) · only source for this CVE.
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Articles & Coverage 1
AnalysisAI
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.
Technical ContextAI
UniFi OS is Ubiquiti's unified operating system that runs on the UDM (Dream Machine) line, UDR routers, UCG cloud gateways, UCK/UCKP cloud keys, UNVR network video recorders, UNAS storage appliances, and the EFG/UDW edge platforms. The flaw is classified as CWE-284 (Improper Access Control), meaning authorization checks for privileged system-modifying operations are missing or bypassable. The CVSS scope change (S:C) signals that exploitation crosses a trust boundary - the affected component can influence resources beyond its own security authority, which on a converged network appliance like UniFi OS typically means routing, firewall, VPN, or camera/storage subsystems controlled by the same management plane.
RemediationAI
Patch available per vendor advisory - consult Ubiquiti Security Advisory Bulletin 064 at https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b for the exact fixed UniFi OS firmware version for each device model, as the input does not enumerate fix versions. Until firmware can be applied, restrict the UniFi OS management interface (typically TCP 443 and 8443) to a dedicated management VLAN or VPN, and ensure WAN-side management is disabled - note that disabling remote access will break Ubiquiti's UI.com cloud SSO workflow for off-network admins. As a compensating control, place the controller behind a firewall rule that allows only known admin IPs to reach the web UI; this does not prevent lateral movement from a compromised internal host but eliminates external exposure.
More in Unifi Os Server
View allUnauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31383
GHSA-p8c5-xwrc-584f