Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Network-reachable but requires a low-privilege account (PR:L) and the description's 'certain conditions' warrants AC:H; impact is escalation with high integrity/availability but only low confidentiality.
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network,low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already possess a valid low-privilege authenticated account on the UniFi Network Application (CVSS PR:L) and network reachability to its management interface (AV:N); no user interaction is needed (UI:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H, score 8.3 High) indicates network-reachable exploitation by an already-authenticated low-privilege user with no user interaction, yielding high integrity and availability impact but only low confidentiality impact - consistent with an authorization escalation rather than data exfiltration. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been granted (or has compromised) a limited, low-privilege UniFi Network Application account authenticates to the controller over the network and invokes functionality that should be gated to full administrators, escalating to elevated control of the managed network. Because no user interaction is required and attack complexity is rated low, the action can be performed directly through the management interface once the required conditions are met. … |
| Remediation | Upgrade the UniFi Network Application to the fixed release identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact patched version number was not included in the provided data and should be confirmed directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Restrict network access to UniFi controllers to authorized personnel only; implement network segmentation around management interfaces. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Network Application
View allPrivilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elev
Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain g
Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41397
GHSA-f3pc-vh4r-hxxh