Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable management interface (AV:N) with low complexity and no user interaction, but requires a low-privilege authenticated account (PR:L); command execution on the host yields total C/I/A impact.
Primary rating from Vendor (hackerone).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
7DescriptionNVD
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UniFi OS to execute a Command Injection on the host device.
Articles & Coverage 1
AnalysisAI
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires (1) network reachability to the affected UniFi OS device's management surface and (2) a valid low-privilege authenticated account on that device - the CVSS vector's PR:L confirms authentication is needed, and the description explicitly states 'low privileges.' No user interaction and no special non-default feature toggle is documented as required (UI:N), so any UniFi OS build before 5.1.19 with a reachable management interface is exploitable by an authenticated low-privilege actor. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderately consistent but not alarming. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged UniFi account - for example a limited operator login or reused/leaked credentials - and can reach the device's management interface over the network submits a crafted value into a vulnerable input field that is passed to a host command. The injected shell payload executes on the UniFi OS host, giving the attacker command execution as the appliance's service context and a path to full device takeover. … |
| Remediation | Vendor-released patch: UniFi OS 5.1.19. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all UniFi deployments and confirm current OS versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Os Server
View allUnauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CW
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious
Same weakness CWE-20 – Improper Input Validation
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41391
GHSA-ghgx-h467-6r25