Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (hackerone) · only source for this CVE.
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
AnalysisAI
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The vulnerability is a CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) issue in UniFi OS, the Linux-based operating system that runs on Ubiquiti's UniFi gateways and appliances. Path traversal occurs when user-supplied input is concatenated into filesystem paths without canonicalization, allowing sequences such as '../' to escape the intended directory and reach arbitrary files outside the web/application root. Affected platforms identified by CPE include the UniFi OS Server and Dream Machine line (UDM, UDM Pro, UDM SE, UDM Pro Max, UDM Beast), Express/Fiber Gateway (EFG), UDW, UDR/UDR7, and per the advisory tags also Express 7, UNVR family, Envr/Envr Core, UNAS family, Cloud Key (UCKP, UCK, UCK Enterprise) and Cloud Gateway (UCG Ultra/Max/Fiber/Industrial) devices, all running the UniFi OS stack.
RemediationAI
Patch available per vendor advisory - apply the firmware updates listed in Ubiquiti Security Advisory Bulletin 064 (https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b) for each affected UniFi OS device class as soon as the vendor-supplied build is available for your hardware; exact patched version numbers are not provided in the input data and should be read directly from the advisory. As a compensating control until devices are updated, restrict reachability of the UniFi OS management interface to a dedicated management VLAN or trusted jump host and ensure remote/WAN access (including any port-forwards or UI Remote-style exposure) is disabled, since the description explicitly requires network access to the device; firewalling the management ports has the side effect of breaking remote administration and any integrations that rely on direct API access, so plan for an out-of-band management path. Auditing UniFi OS local accounts and rotating credentials after patching is prudent because the advisory states the file-read primitive can be escalated to take over an underlying account.
More in Unifi Os Server
View allUnauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31384
GHSA-95fp-244g-g3vr