Skip to main content

Ubiquiti UniFi OS CVE-2026-47370

| EUVD-2026-36384 CRITICAL
Improper Input Validation (CWE-20)
2026-06-12 hackerone GHSA-m7hq-4j28-748g
Command Injection Ubiquiti Unifi Os Server Express Udm Udm Pro Udm Se Udm Pro Max Udm Beast Efg Udw Udr Udr7 Udr 5G Express 7 Unvr Unvr Pro Unvr Instant Unvr G2 Unvr G2 Pro Envr Envr Core Unas 2 Unas 4 Unas Pro Unas Pro 4 Unas Pro 8 Uckp Uck Uck Enterprise Ucg Ultra Ucg Max Ucg Fiber Ucg Industrial
9.9
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
9.9 CRITICAL

Management plane is network-reachable (AV:N), exploitation is reliable once authenticated (AC:L), a low-privileged UniFi account is required (PR:L), no user interaction, and command execution on UniFi OS pivots to subordinate services (S:C) with full CIA impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 05:01 EUVD
Analysis Generated
Jun 12, 2026 - 03:48 vuln.today

DescriptionCVE.org

A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances.

Articles & Coverage 2

News 4 New Ubiquiti Vulnerabilities - 2 Critical, 2 High Severity Jun 13, 2026 News Critical Command Injection in Ubiquiti UniFi OS - CVE-2026-47370 Jun 12, 2026

AnalysisAI

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach UniFi OS management interface
Delivery
Authenticate as low-privileged operator
Exploit
Submit crafted input to vulnerable endpoint
Execution
Shell metacharacters bypass input validation
Persist
Command executes on UniFi OS device
Impact
Pivot to subordinate services and network
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must have network reachability to the UniFi OS management plane (UI/API on the affected console, server, NVR, NAS, Cloud Key, or Cloud Gateway) and must hold valid low-privileged credentials on that UniFi instance (PR:L) - exploitation is not possible fully unauthenticated from the internet against a default-locked-down deployment. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are largely aligned toward high priority: CVSS 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) indicates a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with scope change and total impact on the device. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained or been granted a low-privileged UniFi operator account (for example a site viewer, guest WiFi manager, or contractor login) reaches the UniFi OS management interface on the LAN, VPN, or an exposed remote-access endpoint and submits a crafted parameter to an API or settings field that is passed unsanitized into a shell invocation. Shell metacharacters in the payload break out of the intended command, executing arbitrary code as the management service account on the UniFi OS device and, due to scope change, pivoting to control subordinate services such as routing, firewall rules, or NVR storage.
Remediation Patch available per vendor advisory: update each affected UniFi OS console, server, NVR, NAS, and Cloud Gateway/Cloud Key device to the fixed UniFi OS firmware listed in Ubiquiti Security Advisory Bulletin 065 at https://community.ui.com/releases/Security-Advisory-Bulletin-065-065/aa46a22b-fc43-4eae-9382-6fc8feda967a; exact patched version numbers should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all affected devices per Ubiquiti Security Advisory 065 (UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, UNAS), disable remote administrative access from untrusted network segments, implement network segmentation isolating devices to a dedicated admin VLAN. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

Share

CVE-2026-47370 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy