EUVD-2026-36383
GHSA-h6vq-x5fv-h7q3
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Management interface is network-reachable (AV:N), exploitation is straightforward (AC:L), a low-privileged UniFi account is required (PR:L), and escalation to full device admin crosses a security boundary (S:C, C/I/A:H).
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances.
Articles & Coverage 2
AnalysisAI
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Attacker must have network reachability to the UniFi OS management interface (web UI or API) of an affected device - UDM family, UCG family, UDR, UNVR, UNAS, UCK, Express, EFG, UDW, or a UniFi OS Server instance - AND must hold valid credentials for a low-privileged UniFi account (PR:L), such as a site operator, read-only admin, or limited tenant role. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but lean toward elevated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A contractor or branch-office operator with a low-tier UniFi role (e.g., site viewer or limited admin) authenticates to the UniFi OS web/API interface and submits a crafted request to an endpoint that fails to validate input, causing the privileged backend service to perform an action under elevated authority and granting the attacker super-admin control over the gateway. From there the attacker pivots: rewriting firewall and VLAN rules, mirroring traffic, planting persistence on the gateway/NVR, and using the device as a launchpad into the internal network. … |
| Remediation | Patch available per vendor advisory - apply the firmware/UniFi OS updates listed in Ubiquiti Security Advisory Bulletin 065 (https://community.ui.com/releases/Security-Advisory-Bulletin-065-065/aa46a22b-fc43-4eae-9382-6fc8feda967a) for every affected gateway, NVR, NAS, Cloud Key, Express, and UniFi OS Server instance in the environment; specific fixed version numbers should be taken directly from that bulletin as they are not enumerated in the supplied input data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit your network to identify all UniFi OS instances (Dream Machine, Express, UDR, UCG, UNVR, UNAS) and document their current network exposure and administrative access controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitra
Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive
Share
External POC / Exploit Code
Leaving vuln.today