Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Network-reachable SSRF exploitable by a low-privilege account (PR:L) with no interaction, escalating across a scope boundary (S:C) to full host compromise, giving C:H/I:H/A:H.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.
Articles & Coverage 1
AnalysisAI
Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the UniFi Protect Application's management interface and an authenticated low-privilege account (CVSS PR:L), so this is not an unauthenticated remote flaw - the attacker must first hold or obtain a limited Protect user login. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H = 9.9) presents a high-priority profile: network-reachable, low attack complexity, only low privileges required, no user interaction, and a scope change yielding full host compromise. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged UniFi Protect account (for example a limited operator login) sends a crafted request that causes the Protect application to issue a server-side request to an internal or local privileged endpoint on the host. By steering that request, the attacker abuses the scope change to reach services running with higher privilege and escalates to control of the underlying device. … |
| Remediation | Apply the update referenced in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); this is patch available per vendor advisory, but the exact fixed version is not stated in the available data, so verify and install the version named in that bulletin. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Isolate UniFi Protect systems to a restricted network segment with firewall rules limiting access; enforce multi-factor authentication and least-privilege access controls; enable comprehensive audit logging of all user activity and configuration changes. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Protect Application
View allPrivilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89)
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker access data streams witho
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker gain unauthorized access
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41398
GHSA-9prq-fx52-ppcv