Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Network-reachable unauthenticated access-control bypass (AV:N/PR:N/UI:N) feeding OS command injection that escapes the app to the host gives S:C and full C/I/A impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device.
Articles & Coverage 1
AnalysisAI
Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have network access to the UniFi Connect Application service (AV:N, network-reachable), but requires no valid credentials and no user interaction (PR:N/UI:N) because the flaw is an access-control bypass - the vulnerable function is reachable without authorization. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | This is a genuine top-priority issue, not an inflated high-CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with access to the same network segment as the UniFi Connect Application sends a crafted request to an improperly protected endpoint, bypassing authentication and embedding shell metacharacters in a parameter that the app passes to a host command. The command executes with the service's privileges, giving the attacker a foothold to run arbitrary code, exfiltrate data, and pivot to other systems. … |
| Remediation | Upgrade UniFi Connect Application to the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the advisory confirms a patch is available, though an exact fixed version number is not included in the provided data, so confirm the specific build from the bulletin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Isolate UniFi Connect Application instances from untrusted networks; review and preserve access logs for forensic analysis. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41389
GHSA-8q6j-36ff-q77x