Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable SQLi needs a low-privilege account (PR:L) and no user interaction (AC:L/UI:N); host privilege escalation yields high C/I/A on the same appliance (S:U).
Primary rating from Vendor (hackerone).
CVSS VectorVendor: hackerone
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device.
AnalysisAI
Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated low-privileged account on the UniFi Protect Application (CVSS PR:L) with network reachability to the Protect interface (AV:N); no user interaction is required (UI:N) and attack complexity is low (AC:L). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High) indicates a network-reachable, low-complexity attack requiring only low privileges and no user interaction, with high impact across all three security properties - a strong signal for prioritization. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained a low-privileged UniFi Protect account (for example a viewer credential that was phished, reused, or shared) sends crafted input to a vulnerable Protect endpoint over the network, injecting SQL that manipulates the backend query. Because the database runs on the appliance with elevated context, the attacker leverages the injection to escalate to host-level privileges on the UniFi console/NVR. … |
| Remediation | Patch available per vendor advisory: upgrade the UniFi Protect Application to the fixed version documented in Ubiquiti Security Advisory Bulletin 066 (https://community.ui.com/releases/Security-Advisory-Bulletin-066-066/984eceb3-49c8-4227-942d-671c289b3afc); the exact fixed version is not enumerated in the provided input, so confirm the target build directly from that advisory before scheduling. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Conduct asset discovery to identify all UniFi Protect instances and assess network exposure; implement network segmentation to restrict administrative access to trusted management networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Unifi Protect Application
View allPrivilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, ne
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker access data streams witho
Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints
Authentication bypass in Ubiquiti's UniFi Protect Application lets a network-adjacent attacker gain unauthorized access
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41399
GHSA-472v-99p9-6699