Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable authenticated low-priv user (PR:L) triggers low-complexity command injection escaping the app to the host (S:C), yielding full C/I/A host compromise.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi Access Application to execute a Command Injection on the host device.
Articles & Coverage 1
AnalysisAI
Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the UniFi Access Application and a valid low-privilege account (CVSS PR:L) - this is authenticated exploitation, not unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals point to a genuine high priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds a low-privileged account on the UniFi Access Application and can reach it over the network submits crafted input to a field that is improperly validated, embedding shell metacharacters that the application passes to the host command interpreter. The injected commands execute on the underlying UniFi host device, giving the attacker code execution outside the application boundary. … |
| Remediation | Patch available per vendor advisory - upgrade the UniFi Access Application to the fixed release described in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not stated in the available data, so confirm the target build in that bulletin before scheduling the upgrade. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Isolate UniFi Access systems from production networks or restrict access to secure management networks only; review access logs for suspicious activity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Access Application
View allPrivilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and net
Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41384
GHSA-fp2c-q39c-97j4