Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Primary rating from Vendor (hackerone) · only source for this CVE.
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
AnalysisAI
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
UniFi OS is the integrated operating environment Ubiquiti ships on its Dream Machine (UDM/UDM-Pro/UDM-SE/UDM-Pro-Max/UDM-Beast), Express, Cloud Gateway (UCG Ultra/Max/Fiber/Industrial), Cloud Key (UCK/UCKP/UCK Enterprise), Network Video Recorder (UNVR family, ENVR) and UNAS storage platforms, providing the web UI, controller services, and system APIs that front-end network and camera management. The root cause is CWE-20 Improper Input Validation: a parameter consumed by a backend handler is passed into a shell or command-executing routine without sufficient sanitization, allowing attacker-controlled metacharacters to be interpreted as command syntax. CVSS scope change (S:C) indicates that successful exploitation breaks out of the vulnerable component's security authority - typical for shell injection on an embedded appliance where the web service can reach the underlying root-capable OS.
RemediationAI
Patch available per vendor advisory - apply the UniFi OS firmware updates listed in Ubiquiti Security Advisory Bulletin 064 (https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b) for each affected device family as soon as possible; exact patched version numbers are not present in the supplied input data and should be read directly from the bulletin. Until firmware is applied, restrict reachability of the UniFi OS management interface (HTTPS web UI and any related API ports) to a dedicated management VLAN or jump host, and remove any port-forwarding or WAN exposure of the UniFi OS administration endpoint; this removes the network attack surface but breaks remote admin workflows that rely on direct device access (remote management via Ubiquiti's UI cloud proxy is unaffected). As an additional control, disable or block any unused services on the appliance and monitor authentication and command-execution logs for unexpected shell activity. Do not rely on credentials as a mitigation since the CVSS vector indicates PR:N (unauthenticated).
More in Unifi Os Server
View allPath traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31382
GHSA-fvgm-jgwh-qwx7