Skip to main content

UniFi OS CVE-2026-48610

| EUVD-2026-36378 HIGH
Improper Access Control (CWE-284)
2026-06-12 hackerone GHSA-x48g-g9fg-6pfc
Authentication Bypass Ubiquiti Udm Udm Pro Udm Se Udm Pro Max Udm Beast Efg Udw Udr Udr7 Udr 5G Express 7 Ucg Ultra Ucg Max Ucg Fiber Ucg Industrial
8.1
CVSS 3.1 · Vendor: hackerone
Share

Severity by source

Vendor (hackerone) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.7 HIGH

Network-reachable and unauthenticated (AV:N/PR:N) but only exploitable under specific non-default network configurations (AC:H); unauthorized config changes yield high integrity/availability but limited direct data disclosure (C:L).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (hackerone).

CVSS VectorVendor: hackerone

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jun 12, 2026 - 05:01 EUVD
Analysis Generated
Jun 12, 2026 - 03:45 vuln.today

DescriptionCVE.org

Under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.

Articles & Coverage 1

News 4 New Ubiquiti Vulnerabilities - 2 Critical, 2 High Severity Jun 13, 2026

AnalysisAI

Improper access control in Ubiquiti UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to UniFi Dream Machine, Cloud Gateway, and Express gateway devices under certain network configurations. The flaw, scored CVSS 8.1 with full CIA impact, requires no authentication (PR:N) but has high attack complexity (AC:H), and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Gain foothold on reachable network segment
Delivery
Discover UniFi gateway and fingerprint configuration
Exploit
Send crafted request to access-control-flawed interface
Execution
Bypass authorization check
Persist
Push unauthorized configuration change
Impact
Pivot or persist via altered firewall/routing rules
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires the attacker to have network reachability to a vulnerable UniFi OS gateway (UDM/UDR/UDW/EFG/UCG/Express family) AND for that gateway to be running 'certain network configurations' as stated by Ubiquiti - the specific triggering configuration is not disclosed in the advisory text supplied, which is itself a limiting factor and a data gap. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H yields 8.1 (High) - full impact with no authentication required, but AC:H signals that successful exploitation depends on a non-default condition (the description's 'under certain network configurations'). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained a foothold on a network segment that can reach a vulnerable UniFi gateway - for example, via a compromised guest-VLAN device, a rogue IoT endpoint, or a malicious insider on the LAN - sends crafted traffic to the device's management or control-plane service and, because access control is improperly enforced, applies unauthorized configuration changes (e.g., disabling firewall rules, adding port forwards, or pushing rogue settings) without ever authenticating. No public exploit is identified at time of analysis, and the AC:H rating implies the attacker must first identify or induce the specific vulnerable network configuration before the request succeeds.
Remediation Patch available per vendor advisory - apply the UniFi OS firmware update referenced in Ubiquiti Security Advisory Bulletin 065 (https://community.ui.com/releases/Security-Advisory-Bulletin-065-065/aa46a22b-fc43-4eae-9382-6fc8feda967a) to every affected UDM, UDR, UDW, EFG, Express, and UCG model in the fleet; exact fix version per device family is not reproduced in the supplied data and should be taken from the bulletin. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all UniFi OS devices in production and segment management interfaces to trusted networks only using VLANs and access control lists. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-47370 CRITICAL
9.9 Jun 12

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
CVE-2026-47369 CRITICAL
9.9 Jun 12

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on

CVE-2026-47368 HIGH
8.6 Jun 12

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive

Share

CVE-2026-48610 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy