Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Unauthenticated network path traversal (PR:N/AC:L) bypassing auth on the OS to expose managed-device resources justifies S:C and C:H, with no stated integrity or availability impact.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to bypass authentication of such UniFi OS devices or instances.
AnalysisAI
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network reachability to the UniFi OS device's management/web interface and a device running a vulnerable UniFi OS build; per the vendor, the actor needs 'access to the network' the device is on, so the practical prerequisite is a routable path to the management plane (LAN, adjacent VLAN, VPN, or internet exposure). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) describes a genuinely low-barrier attack: remote, no authentication, no user interaction, low complexity, with a scope change and high confidentiality impact - the classic profile of a serious auth-bypass. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with reachability to a UniFi OS device's management interface - for example on the same LAN, a guest/IoT segment that can route to it, or an internet-exposed console - sends a crafted request containing traversal sequences to a path-handling endpoint. The malformed path resolves to a protected resource, letting the attacker bypass authentication and access controller data or functionality without any credentials or user interaction. … |
| Remediation | Patch available per vendor advisory: update every affected UniFi OS console and the UniFi OS Server to the fixed firmware/software build listed in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); exact fixed version numbers are not included in the provided data and should be taken from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all affected Ubiquiti UniFi OS devices and implement firewall rules to restrict access to management interfaces; enable network access logging. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Os Server
View allUnauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on
Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary ope
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arb
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authentica
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across th
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary file
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41381
GHSA-x73q-38h3-xg4c