Dream Wall
Monthly
Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.
Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.
Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.
Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.
Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.
Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.
Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).
Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.
Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.