Severity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Network-reachable and low-complexity but requires high app privileges (PR:H); path traversal escapes the app to write on the host (S:C) yielding I:H/A:H with no disclosure (C:N).
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and high privileges could exploit a Path Traversal vulnerability found in self-hosted instances of UniFi Network Application to escalate write permission on the host device.
AnalysisAI
Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a self-hosted instance of UniFi Network Application (Ubiquiti-managed/cloud instances are not in scope) and an attacker who already holds high privileges (PR:H) within the application plus network reachability to it (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS vector (AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H, score 8.7) indicates a network-reachable, low-complexity attack that nonetheless requires high privileges (PR:H), meaning the attacker must already hold an administrative/high-privilege foothold in the application. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained high-privilege (administrative) access to a self-hosted UniFi Network Application - for example via stolen operator credentials or a malicious insider - sends a crafted request whose file path contains directory-traversal sequences. Because the controller process can write to the host, the traversal directs a write operation to an arbitrary host location, letting the attacker modify or plant files and escalate control over the underlying host device. … |
| Remediation | Patch available per vendor advisory: upgrade the self-hosted UniFi Network Application to the fixed build identified in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); an exact patched version number is not included in the provided data and should be taken directly from that advisory. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all self-hosted UniFi Network Application deployments and audit high-privilege user accounts and access permissions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Network Application
View allPrivilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elev
Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network
Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain g
Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41385
GHSA-h9fm-m325-j8cf