Skip to main content

Ubiquiti

125 CVEs vendor

Monthly

CVE-2026-55119 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Talk Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-55114 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-56842 HIGH PATCH This Week

Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55116 CRITICAL PATCH Act Now

Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.

Authentication Bypass Ubiquiti Dream Machines Enterprise Fortress Gateway Dream Wall +4
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-56841 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.

Ubiquiti SQLi Unifi Protect Application
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55115 CRITICAL PATCH Act Now

Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

SSRF Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-55118 HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
CVSS 3.1
8.3
EPSS
0.2%
CVE-2026-55112 HIGH PATCH This Week

Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.

Authentication Bypass Ubiquiti Dream Machines Dream Wall Dream Routers +4
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-55117 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-55113 HIGH PATCH This Week

Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the application into making unintended internal requests, resulting in a Denial of Service and an authentication bypass against certain UniFi Talk API endpoints. The flaw carries CVSS 7.5 (scope-changed, high availability impact) and is reachable by remote attackers without authentication (PR:N), though a high attack complexity (AC:H) constrains reliable exploitation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Ubiquiti Denial Of Service Unifi Talk Application
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55111 HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti UniFi Protect Floodlight devices lets a network-adjacent attacker read files on the device via path traversal, exposing potentially sensitive local data. The flaw (CWE-22) is remotely reachable without authentication per the CVSS vector (PR:N) and carries high confidentiality impact but no integrity or availability effect. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Ubiquiti has issued a fix via Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Protect Floodlight
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54401 HIGH PATCH This Week

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.

SSRF Ubiquiti Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54402 HIGH PATCH This Week

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.

Command Injection Ubiquiti Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.8%
CVE-2026-50747 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments.

Ubiquiti SQLi Unifi Talk Application
NVD
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-50746 CRITICAL PATCH NEWS Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection Unifi Connect Application
NVD
CVSS 3.1
10.0
EPSS
0.8%
CVE-2026-55110 MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure Unifi Os Server Dream Machines +10
NVD
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-54404 HIGH PATCH This Week

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.

Ubiquiti SQLi Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD VulDB
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-54400 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.1
EPSS
0.3%
CVE-2026-54406 HIGH PATCH This Week

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Network Application
NVD
CVSS 3.1
8.7
EPSS
0.3%
CVE-2026-50748 CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD
CVSS 3.1
9.9
EPSS
0.8%
CVE-2026-54408 CRITICAL PATCH Act Now

Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-54409 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-54403 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.

Ubiquiti Path Traversal Unifi Os Server Dream Machines Enterprise Fortress Gateway +9
NVD
CVSS 3.1
8.6
EPSS
0.5%
CVE-2026-54405 HIGH PATCH This Week

Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access to crash or render the application unavailable by sending malformed input that the application fails to properly validate (CWE-20). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (C:N/I:N/A:H), with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Denial Of Service Unifi Network Application
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54407 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.6
EPSS
0.3%
CVE-2026-47370 CRITICAL PATCH Act Now

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Command Injection Ubiquiti Unifi Os Server Express Udm +29
NVD VulDB
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-47369 CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Ubiquiti Unifi Os Server Express Udm +29
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-47368 HIGH PATCH This Week

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive data via a path traversal flaw (CWE-22). The high CVSS 8.6 score reflects a scope change with high confidentiality impact, indicating that disclosed data can affect resources beyond the vulnerable component itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Ubiquiti Unifi Os Server Express Udm +29
NVD VulDB
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-48610 HIGH PATCH This Week

Improper access control in Ubiquiti UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to UniFi Dream Machine, Cloud Gateway, and Express gateway devices under certain network configurations. The flaw, scored CVSS 8.1 with full CIA impact, requires no authentication (PR:N) but has high attack complexity (AC:H), and no public exploit identified at time of analysis. Disclosed via HackerOne and addressed in Ubiquiti Security Advisory Bulletin 065.

Authentication Bypass Ubiquiti Udm Udm Pro Udm Se +12
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-34911 HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-33000 CRITICAL PATCH Act Now

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

Ubiquiti Command Injection Unifi Os Server
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-34910 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Ubiquiti Command Injection Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.1%
Threat
5.0
CVE-2026-34908 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server Udm Udm Pro +28
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-34909 CRITICAL POC KEV PATCH THREAT NEWS Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server Udm Udm Pro +28
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
Threat
5.0
CVE-2026-22563 CRITICAL PATCH Act Now

Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av

Command Injection Ubiquiti
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22562 CRITICAL PATCH Act Now

Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai

RCE Ubiquiti Path Traversal
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-22566 HIGH PATCH This Week

Improper access control in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) exposes WiFi credentials to network-adjacent attackers without authentication. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote exploitation with no authentication required, though the vulnerability description specifies 'access to the UniFi Play network' as a prerequisite. Reported via HackerOne bug bounty. EPSS score of 0.01% (1st percentile) suggests minimal observed exploitation activity, and no public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22565 HIGH PATCH This Week

Denial of service in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) allows unauthenticated remote attackers to crash devices via improper input validation. CVSS 7.5 (High) with network-based attack requiring no privileges or user interaction. EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation likelihood. No public exploit identified at time of analysis. Vendor-released patches available: PowerAmp 1.0.38+ and Audio Port 1.1.9+.

Information Disclosure Ubiquiti
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-22564 CRITICAL PATCH Act Now

Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2019-25652 HIGH PATCH This Week

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate...

Information Disclosure Ubiquiti
NVD VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2019-25651 CRITICAL PATCH Act Now

Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.

Authentication Bypass Ubiquiti
NVD VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-22559 HIGH PATCH This Week

Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability.

Ubiquiti Authentication Bypass
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-22558 HIGH This Week

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Ubiquiti Nosql Injection Privilege Escalation
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-22557 CRITICAL POC Act Now

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed.

Path Traversal Ubiquiti
NVD VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-27215 HIGH This Month

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-27214 CRITICAL This Week

A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-27213 MEDIUM Monitor

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti Google Android
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-24285 CRITICAL This Week

Multiple Improper Input Validation vulnerabilities in UniFi Connect EV Station Lite may allow a Command Injection by a malicious actor with network access to the UniFi Connect EV Station Lite. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2025-27212 CRITICAL This Week

An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-23164 MEDIUM Monitor

A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.0
4.4
EPSS
0.2%
CVE-2025-23123 CRITICAL Act Now

A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras (Version 4.75.43. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE Ubiquiti
NVD
CVSS 3.0
10.0
EPSS
1.7%
CVE-2025-23119 HIGH This Week

An Improper Neutralization of Escape Sequences vulnerability could allow an Authentication Bypass with a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras adjacent. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Command Injection RCE Ubiquiti
NVD
CVSS 3.0
7.5
EPSS
0.2%
CVE-2025-23118 MEDIUM This Month

An Improper Certificate Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. Rated medium severity (CVSS 6.4). No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.0
6.4
EPSS
0.0%
CVE-2025-23117 MEDIUM This Month

An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.1
6.8
EPSS
0.0%
CVE-2025-23116 CRITICAL Act Now

An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take. Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.0
9.6
EPSS
0.1%
CVE-2025-23115 CRITICAL Act Now

A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Ubiquiti RCE Denial Of Service
NVD
CVSS 3.0
9.0
EPSS
0.6%
CVE-2025-23091 MEDIUM This Month

An Improper Certificate Validation on UniFi OS devices, with Identity Enterprise configured, could allow a malicious actor to execute a man-in-the-middle (MitM) attack during application update. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Ubiquiti Information Disclosure
NVD
CVSS 3.0
5.9
EPSS
0.1%
CVE-2024-54749 HIGH This Week

Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2024-54750 CRITICAL Act Now

Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2024-45205 HIGH This Week

An Improper Certificate Validation on the UniFi iOS App managing a standalone UniFi Access Point (not using UniFi Network Application) could allow a malicious actor with access to an adjacent network. Rated high severity (CVSS 7.1), this vulnerability is no authentication required. No vendor patch available.

Apple Information Disclosure Ubiquiti
NVD
CVSS 3.0
7.1
EPSS
0.1%
CVE-2024-42028 HIGH This Week

A Local privilege escalation vulnerability found in a Self-Hosted UniFi Network Server with UniFi Network Application (Version 8.4.62 and earlier) allows a malicious actor with a local operational. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ubiquiti
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-44540 MEDIUM This Month

Ubiquiti AirMax firmware version firmware version 8 allows attackers with physical access to gain a privileged command shell via the UART Debugging Port. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ubiquiti
NVD
CVSS 3.1
6.6
EPSS
0.2%
CVE-2024-42025 HIGH This Week

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Ubiquiti Unifi Network Application
NVD
CVSS 3.1
7.8
EPSS
0.8%
CVE-2024-37380 MEDIUM This Month

A misconfiguration on UniFi U6+ Access Point could cause an incorrect VLAN traffic forwarding to APs meshed to UniFi U6+ Access Point. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.0
5.3
EPSS
0.2%
CVE-2024-34786 MEDIUM This Month

UniFi iOS app 10.15.0 introduces a misconfiguration on 2nd Generation UniFi Access Points configured as standalone (not using UniFi Network Application) that could cause the SSID name to change. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required. No vendor patch available.

Apple Information Disclosure Ubiquiti
NVD
CVSS 3.1
4.8
EPSS
0.2%
CVE-2024-29208 LOW Monitor

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Brute Force Ubiquiti Information Disclosure
NVD
CVSS 3.0
2.2
EPSS
0.3%
CVE-2024-29207 HIGH This Week

An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
CVSS 3.0
7.5
EPSS
0.3%
CVE-2024-29206 LOW Monitor

An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Ubiquiti
NVD
CVSS 3.0
2.2
EPSS
0.4%
CVE-2024-27981 CRITICAL Act Now

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Ubiquiti
NVD
CVSS 3.1
9.8
EPSS
1.2%
CVE-2024-22054 HIGH This Week

A malformed discovery packet sent by a malicious actor with preexisting access to the network could interrupt the functionality of device management and discovery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ubiquiti
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2023-41721 MEDIUM This Month

Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Authentication Bypass Unifi Network Application
NVD
CVSS 3.1
5.3
EPSS
0.6%
CVE-2023-38034 CRITICAL Act Now

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti RCE Command Injection Unifi Uap Firmware Unifi Switch Firmware
NVD
CVSS 3.1
9.8
EPSS
1.0%
CVE-2023-35085 CRITICAL Act Now

An integer overflow vulnerability in all UniFi Access Points and Switches, excluding the Switch Flex Mini, with SNMP Monitoring and default settings enabled could allow a Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow RCE Ubiquiti Unifi Uap Firmware Unifi Switch Firmware
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2023-32000 MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ubiquiti XSS Unifi Network Application
NVD
CVSS 3.1
4.8
EPSS
0.3%
CVE-2023-31997 CRITICAL Act Now

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

Ubiquiti Authentication Bypass Unifi Os
NVD
CVSS 3.1
9.0
EPSS
0.3%
CVE-2023-28365 CRITICAL Act Now

A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Unifi Network Application
NVD
CVSS 3.1
9.1
EPSS
0.8%
CVE-2023-28361 MEDIUM This Month

A Cross-site WebSocket Hijacking (CSWSH) vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti CSRF Unifi Os
NVD
CVSS 3.1
6.5
EPSS
0.3%
CVE-2023-2379 HIGH POC This Week

A vulnerability classified as critical has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Denial Of Service Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
1.3%
CVE-2023-2378 HIGH POC This Week

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
4.3%
CVE-2023-2377 HIGH POC This Week

A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
4.3%
CVE-2023-2376 HIGH POC This Week

A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
4.3%
CVE-2023-2375 HIGH POC This Week

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
6.6%
CVE-2023-2374 HIGH POC This Week

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware Er X Sfp Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
4.5%
CVE-2023-2373 HIGH POC This Week

A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Edgemax Edgerouter Firmware
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
4.3%
CVE-2023-1458 CRITICAL POC Act Now

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
3.3%
CVE-2023-1457 CRITICAL Act Now

A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-1456 CRITICAL Act Now

A vulnerability, which was classified as critical, has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
CVSS 3.1
9.8
EPSS
1.9%
CVE-2023-24104 CRITICAL POC Act Now

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Authentication Bypass Unifi Dream Machine Pro Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2023-23912 HIGH POC This Week

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti RCE Usg Firmware Usg Pro 4 Firmware Er 10X Firmware +7
NVD
CVSS 3.1
8.8
EPSS
0.9%
CVE-2023-23119 MEDIUM POC This Month

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Ubiquiti Authentication Bypass Af 2X Firmware
NVD
CVSS 3.1
5.9
EPSS
0.3%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Talk Application allows a low-privileged, network-adjacent user to gain elevated privileges within the application through an improper access control (CWE-284) weakness, tracked as CVE-2026-55119 and rated CVSS 8.1. Ubiquiti tagged the issue as an Authentication Bypass, and a successful attack yields high confidentiality and integrity impact (C:H/I:H) over an existing authenticated session without any user interaction. There is no public exploit identified at time of analysis and the CVE is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Talk Application
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, network-adjacent user to gain elevated privileges within the controller due to Improper Access Control (CWE-284). Tagged as an authentication/authorization bypass and reported via HackerOne, the flaw carries a CVSS 8.8 with full confidentiality, integrity, and availability impact once triggered. No public exploit has been identified at time of analysis, and it is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Privilege persistence in Ubiquiti's UniFi Network Application allows a low-privileged network-adjacent actor to retain granted privileges within the controller even after those privileges are supposed to have been revoked, due to an Incorrect Authorization (CWE-863) flaw. The CVSS 3.1 base score is 7.5 (AV:N/AC:H/PR:L/UI:N) with high confidentiality, integrity, and availability impact, meaning an actor whose access was removed can continue to act with the old authorization. No public exploit identified at time of analysis, and it is not listed in CISA KEV; exploitation requires prior authenticated access plus specific unstated conditions (AC:H).

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Unauthorized configuration changes on Ubiquiti UniFi OS gateway devices (Dream Machines, Dream Routers, Cloud Gateways, Enterprise Firewall Core, Enterprise Fortress Gateway, Dream Wall and Express 7) are possible through an improper access control flaw that, under certain network configurations, lets a network-adjacent attacker alter device settings without proper authorization. Ubiquiti has released version 5.1.19 to fix the issue via Security Advisory Bulletin 066. There is no public exploit identified at time of analysis, EPSS probability is low (0.22%), and CISA SSVC records exploitation status as none, but the total technical impact and 9.8 CVSS rating make this a high-priority patch for exposed gateways.

Authentication Bypass Ubiquiti Dream Machines +6
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Protect Application is possible through an authenticated SQL injection (CWE-89) reachable by a low-privileged user with network access, letting that attacker escalate privileges on the underlying host device with full confidentiality, integrity, and availability impact. The flaw was reported through HackerOne and disclosed in Ubiquiti Security Advisory Bulletin 066; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. With CVSS 8.8 (AV:N/AC:L/PR:L) it is a high-priority patch for any exposed NVR/Protect deployment.

Ubiquiti SQLi Unifi Protect Application
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation via Server-Side Request Forgery in Ubiquiti's UniFi Protect Application allows a low-privileged, network-adjacent attacker to coerce the application into making attacker-controlled requests and escalate to control of the host device. The CVSS 9.9 rating is driven by a scope change (S:C) plus full confidentiality, integrity, and availability impact, meaning the SSRF crosses a security boundary from the application into the underlying host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; EPSS data was not provided.

SSRF Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Privilege escalation in Ubiquiti's UniFi Network Application allows a low-privileged, authenticated user on the network to elevate their permissions within the application by abusing an Improper Access Control weakness (CWE-284). The CVSS 3.1 score of 8.3 reflects that a network-reachable actor holding limited credentials can, under certain conditions, gain high integrity and availability impact over the controller. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Ubiquiti has published Security Advisory Bulletin 066 addressing it.

Authentication Bypass Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in UniFi OS running the UniFi Protect Application (versions below 5.1.19) allows a network-adjacent, low-privileged attacker to gain control of the underlying host device via improper access control. Affected hardware spans Ubiquiti's Dream Machines, Dream Wall, Dream Routers, Cloud Keys, Cloud Gateways, and Network/Enterprise Video Recorders. No public exploit identified at time of analysis; EPSS is low (0.19%) and CISA SSVC records no known exploitation, but the total technical impact and 8.8 CVSS make it a meaningful patch priority.

Authentication Bypass Ubiquiti Dream Machines +6
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Access Application
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Server-Side Request Forgery in Ubiquiti's UniFi Talk Application allows a network-positioned attacker to coerce the application into making unintended internal requests, resulting in a Denial of Service and an authentication bypass against certain UniFi Talk API endpoints. The flaw carries CVSS 7.5 (scope-changed, high availability impact) and is reachable by remote attackers without authentication (PR:N), though a high attack complexity (AC:H) constrains reliable exploitation. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SSRF Ubiquiti Denial Of Service +1
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Arbitrary file disclosure in Ubiquiti UniFi Protect Floodlight devices lets a network-adjacent attacker read files on the device via path traversal, exposing potentially sensitive local data. The flaw (CWE-22) is remotely reachable without authentication per the CVSS vector (PR:N) and carries high confidentiality impact but no integrity or availability effect. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; Ubiquiti has issued a fix via Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Protect Floodlight
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation via Server-Side Request Forgery affects Ubiquiti UniFi OS devices and the UniFi OS Server across the Dream Machine, Dream Router, Cloud Gateway, Cloud Key, Enterprise Fortress/Firewall, and NVR/EVR product lines running versions below 5.1.19. A low-privileged user with network access can coerce the device into making attacker-controlled internal requests, leveraging the SSRF to reach privileged internal services and elevate to higher privileges within the appliance. No public exploit identified at time of analysis, EPSS risk is low (0.20%, 10th percentile), and the flaw is not listed in CISA KEV, but a vendor patch is available.

SSRF Ubiquiti Unifi Os Server +11
NVD VulDB
EPSS 1% CVSS 8.8
HIGH PATCH This Week

Command injection in Ubiquiti UniFi OS (all builds before 5.1.19) lets a low-privileged user on the same network run arbitrary operating-system commands on the underlying host device, giving full control of gateways, recorders, and Cloud Keys. The flaw stems from improper input validation (CWE-20) and carries high confidentiality, integrity, and availability impact (CVSS 8.8). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as none, but the technical impact is total and a vendor patch is already available.

Command Injection Ubiquiti Unifi Os Server +11
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Talk Application allows an authenticated attacker holding a low-privileged account to chain multiple SQL injection flaws (CWE-89) and gain elevated control over the underlying host device. The issue carries a critical 9.9 CVSS score driven by network reachability, low attack complexity, and a scope change from the application into the host OS. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the low bar of only needing minimal authenticated access makes this a high-priority patch for exposed UniFi Talk deployments.

Ubiquiti SQLi Unifi Talk Application
NVD
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Improper access control in Ubiquiti's UniFi Connect Application allows a network-adjacent attacker to bypass authentication and inject arbitrary operating-system commands on the underlying host, yielding full compromise (CVSS 10.0). The flaw chains an access-control weakness (CWE-284) with command injection, so an unauthenticated attacker reachable on the network can execute code with the application's privileges and pivot beyond the app boundary (scope change). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; EPSS data was not provided.

Authentication Bypass Ubiquiti Command Injection +1
NVD
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site session abuse in Ubiquiti UniFi OS lets a remote attacker who lures an authenticated operator to a malicious web page ride that user's active session to perform privileged actions on the device, stemming from a permissive CORS policy that trusts untrusted origins. The flaw affects UniFi OS Server and the console firmware running on Dream Machines, Dream Routers, Dream Wall, Cloud Gateways, Cloud Keys, Enterprise Fortress Gateway, Express 7, and Network/Enterprise Video Recorders. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; success hinges on social-engineering an already-logged-in admin (CVSS 7.5, UI:R, AC:H).

Ubiquiti Cors Misconfiguration Information Disclosure +12
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged, network-adjacent user to chain a series of authenticated SQL injection flaws (CWE-89) to gain elevated privileges on affected UniFi OS instances and hardware. The issue affects UniFi OS Server and a broad range of Ubiquiti gateway, recorder, and Cloud Key appliances. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV, but the CVSS 8.8 rating and low attack complexity make it a meaningful escalation risk once an attacker has any authenticated foothold.

Ubiquiti SQLi Unifi Os Server +11
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Ubiquiti Unifi Access Application
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Privilege escalation via path traversal in self-hosted UniFi Network Application (Ubiquiti's controller software) allows an authenticated, high-privileged attacker with network access to write files outside intended directories and escalate write permissions on the underlying host. The CVSS 3.1 base score is 8.7 with a scope change, reflecting that the flaw lets the application's write capability break out to affect the host system beyond the application's security boundary. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; it was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Ubiquiti Path Traversal Unifi Network Application
NVD
EPSS 1% CVSS 9.9
CRITICAL PATCH Act Now

Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.

Command Injection Ubiquiti Unifi Access Application
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Ubiquiti's UniFi Protect Application (versions before 7.1.83) allows a network-adjacent attacker to access data streaming without valid credentials due to improper access control. An unauthenticated attacker on a reachable network can view video/data streams that should be protected, with SSVC flagging the flaw as automatable. No public exploit has been identified at time of analysis, and the EPSS probability is low (0.27%), but the CVSS 9.8 rating and network exposure make it a meaningful patch priority.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi OS devices allows a network-adjacent attacker to abuse a path traversal flaw (CWE-22) to reach protected functionality without valid credentials, affecting a broad hardware line including Dream Machines/Routers/Wall, Cloud Gateways/Keys, Express 7, Enterprise Fortress Gateway, and the UniFi OS Server software. The CVSS 8.6 rating is driven by an unauthenticated, low-complexity network vector combined with a scope change (S:C), meaning the compromised authentication boundary exposes managed device data. No public exploit identified at time of analysis and it is not listed in CISA KEV, but the ubiquity of affected consoles makes this a high-priority patch.

Ubiquiti Path Traversal Unifi Os Server +11
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Ubiquiti's UniFi Network Application allows a remote, unauthenticated attacker with network access to crash or render the application unavailable by sending malformed input that the application fails to properly validate (CWE-20). The flaw carries a CVSS 7.5 rating driven entirely by availability impact (C:N/I:N/A:H), with no confidentiality or integrity consequences. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Ubiquiti Denial Of Service Unifi Network Application
NVD
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application lets a network-adjacent attacker reach certain API endpoints without valid credentials due to improper access control (CWE-284). Rated CVSS 8.6, the flaw combines low confidentiality and integrity impact with high availability impact, meaning an unauthenticated actor on the network could interact with protected surveillance-management functions. No public exploit identified at time of analysis, and it is not listed in CISA KEV, but the network vector with no privileges required (AV:N/PR:N) makes it a meaningful exposure for internet- or LAN-reachable deployments.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Authenticated command injection in Ubiquiti UniFi OS allows low-privileged network-adjacent attackers to execute arbitrary OS commands on UniFi gateways, controllers, NVRs, and NAS devices, with a CVSS 9.9 score reflecting scope change and full CIA impact. The vulnerability affects a broad device family including UDM, UDM Pro/SE/Max/Beast, UDR, UDW, UCG, UNVR, and UNAS lines per Ubiquiti Security Advisory Bulletin 065. No public exploit identified at time of analysis and the issue is not currently listed in CISA KEV.

Command Injection Ubiquiti Unifi Os Server +31
NVD VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Privilege escalation in Ubiquiti UniFi OS allows a low-privileged attacker with network access to elevate privileges on affected UniFi OS devices and instances due to improper input validation (CWE-20). The CVSS 9.9 score reflects a scope-changing impact spanning UniFi Dream Machine, UniFi Express, UDR, UCG, UNVR, UNAS, and other UniFi OS Server platforms. No public exploit identified at time of analysis, and the vulnerability is not currently listed in CISA KEV.

Privilege Escalation Ubiquiti Unifi Os Server +31
NVD VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Information disclosure in Ubiquiti UniFi OS devices allows unauthenticated network-adjacent attackers to read sensitive data via a path traversal flaw (CWE-22). The high CVSS 8.6 score reflects a scope change with high confidentiality impact, indicating that disclosed data can affect resources beyond the vulnerable component itself. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Path Traversal Ubiquiti Unifi Os Server +31
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Improper access control in Ubiquiti UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to UniFi Dream Machine, Cloud Gateway, and Express gateway devices under certain network configurations. The flaw, scored CVSS 8.1 with full CIA impact, requires no authentication (PR:N) but has high attack complexity (AC:H), and no public exploit identified at time of analysis. Disclosed via HackerOne and addressed in Ubiquiti Security Advisory Bulletin 065.

Authentication Bypass Ubiquiti Udm +14
NVD VulDB
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in Ubiquiti UniFi OS devices allows authenticated low-privileged network attackers to read arbitrary files on the underlying device filesystem, enabling disclosure of sensitive information such as configuration data, credentials, or cryptographic material. The flaw (CVSS 7.7, scope-changed) affects a broad fleet of UniFi gateways, cloud keys, NVRs, and NAS appliances. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server +30
NVD VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis.

Ubiquiti Command Injection Unifi Os Server
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Ubiquiti Command Injection Unifi Os Server +30
NVD VulDB
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments.

Ubiquiti Authentication Bypass Unifi Os Server +30
NVD VulDB GitHub
EPSS 0% 5.0 CVSS 10.0
CRITICAL POC KEV PATCH THREAT Act Now

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Ubiquiti Path Traversal Unifi Os Server +30
NVD VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av

Command Injection Ubiquiti
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai

RCE Ubiquiti Path Traversal
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper access control in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) exposes WiFi credentials to network-adjacent attackers without authentication. The CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) indicates remote exploitation with no authentication required, though the vulnerability description specifies 'access to the UniFi Play network' as a prerequisite. Reported via HackerOne bug bounty. EPSS score of 0.01% (1st percentile) suggests minimal observed exploitation activity, and no public exploit code or CISA KEV listing identified at time of analysis.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in Ubiquiti UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) allows unauthenticated remote attackers to crash devices via improper input validation. CVSS 7.5 (High) with network-based attack requiring no privileges or user interaction. EPSS score of 0.01% (1st percentile) indicates minimal real-world exploitation likelihood. No public exploit identified at time of analysis. Vendor-released patches available: PowerAmp 1.0.38+ and Audio Port 1.1.9+.

Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 7.7
HIGH PATCH This Week

UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate...

Information Disclosure Ubiquiti
NVD VulDB
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.

Authentication Bypass Ubiquiti
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability.

Ubiquiti Authentication Bypass
NVD VulDB
EPSS 0% CVSS 7.7
HIGH This Week

UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating.

Ubiquiti Nosql Injection Privilege Escalation
NVD VulDB
EPSS 0% CVSS 10.0
CRITICAL POC Act Now

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed.

Path Traversal Ubiquiti
NVD VulDB
EPSS 0% CVSS 8.1
HIGH This Month

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect Display Cast devices to make unsupported changes to the system. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

A Missing Authentication for Critical Function vulnerability in the UniFi Connect EV Station Pro may allow a malicious actor with physical or adjacent access to perform an unauthorized factory reset. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 4.9
MEDIUM Monitor

An Improper Access Control could allow a malicious actor authenticated in the API of certain UniFi Connect devices to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti Google +1
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

Multiple Improper Input Validation vulnerabilities in UniFi Connect EV Station Lite may allow a Command Injection by a malicious actor with network access to the UniFi Connect EV Station Lite. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection
NVD
EPSS 0% CVSS 9.8
CRITICAL This Week

An Improper Input Validation in certain UniFi Access devices could allow a Command Injection by a malicious actor with access to UniFi Access management network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection
NVD
EPSS 0% CVSS 4.4
MEDIUM Monitor

A misconfigured access token mechanism in the Unifi Protect Application (Version 5.3.41 and earlier) could permit the recipient of a "Share Livestream" link to maintain access to the corresponding. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 2% CVSS 10.0
CRITICAL Act Now

A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras (Version 4.75.43. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow Heap Overflow RCE +1
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An Improper Neutralization of Escape Sequences vulnerability could allow an Authentication Bypass with a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras adjacent. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Command Injection RCE +1
NVD
EPSS 0% CVSS 6.4
MEDIUM This Month

An Improper Certificate Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera system. Rated medium severity (CVSS 6.4). No vendor patch available.

Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

An Insufficient Firmware Update Validation vulnerability could allow an authenticated malicious actor with access to UniFi Protect Cameras adjacent network to make unsupported changes to the camera. Rated medium severity (CVSS 6.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 9.6
CRITICAL Act Now

An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take. Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 1% CVSS 9.0
CRITICAL Act Now

A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Use After Free Memory Corruption Ubiquiti +2
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

An Improper Certificate Validation on UniFi OS devices, with Identity Enterprise configured, could allow a malicious actor to execute a man-in-the-middle (MitM) attack during application update. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Ubiquiti Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Ubiquiti U7-Pro 7.0.35 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 9.8
CRITICAL Act Now

Ubiquiti U6-LR 6.6.65 was discovered to contain a hardcoded password vulnerability in /etc/shadow, which allows attackers to log in as root. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 7.1
HIGH This Week

An Improper Certificate Validation on the UniFi iOS App managing a standalone UniFi Access Point (not using UniFi Network Application) could allow a malicious actor with access to an adjacent network. Rated high severity (CVSS 7.1), this vulnerability is no authentication required. No vendor patch available.

Apple Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 8.8
HIGH This Week

A Local privilege escalation vulnerability found in a Self-Hosted UniFi Network Server with UniFi Network Application (Version 8.4.62 and earlier) allows a malicious actor with a local operational. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ubiquiti
NVD
EPSS 0% CVSS 6.6
MEDIUM This Month

Ubiquiti AirMax firmware version firmware version 8 allows attackers with physical access to gain a privileged command shell via the UART Debugging Port. Rated medium severity (CVSS 6.6), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Ubiquiti
NVD
EPSS 1% CVSS 7.8
HIGH This Week

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.3.32 and earlier) allows a malicious actor with unifi user shell. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Command Injection Ubiquiti Unifi Network Application
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A misconfiguration on UniFi U6+ Access Point could cause an incorrect VLAN traffic forwarding to APs meshed to UniFi U6+ Access Point. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required. No vendor patch available.

Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

UniFi iOS app 10.15.0 introduces a misconfiguration on 2nd Generation UniFi Access Points configured as standalone (not using UniFi Network Application) that could cause the SSID name to change. Rated medium severity (CVSS 4.8), this vulnerability is no authentication required. No vendor patch available.

Apple Information Disclosure Ubiquiti
NVD
EPSS 0% CVSS 2.2
LOW Monitor

An Unverified Password Change could allow a malicious actor with API access to the device to change the system password without knowing the previous password. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Brute Force Ubiquiti Information Disclosure
NVD
EPSS 0% CVSS 7.5
HIGH This Week

An Improper Certificate Validation could allow a malicious actor with access to an adjacent network to take control of the system. Rated high severity (CVSS 7.5), this vulnerability is no authentication required. No vendor patch available.

Authentication Bypass Ubiquiti
NVD
EPSS 0% CVSS 2.2
LOW Monitor

An Improper Access Control could allow a malicious actor authenticated in the API to enable Android Debug Bridge (ADB) and make unsupported changes to the system. Rated low severity (CVSS 2.2), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Google Ubiquiti
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A Command Injection vulnerability found in a Self-Hosted UniFi Network Servers (Linux) with UniFi Network Application (Version 8.0.28 and earlier) allows a malicious actor with UniFi Network. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Ubiquiti
NVD
EPSS 1% CVSS 7.5
HIGH This Week

A malformed discovery packet sent by a malicious actor with preexisting access to the network could interrupt the functionality of device management and discovery. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Ubiquiti
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Instances of UniFi Network Application that (i) are run on a UniFi Gateway Console, and (ii) are versions 7.5.176. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Authentication Bypass Unifi Network Application
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti RCE Command Injection +2
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

An integer overflow vulnerability in all UniFi Access Points and Switches, excluding the Switch Flex Mini, with SNMP Monitoring and default settings enabled could allow a Remote Code Execution (RCE). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Integer Overflow RCE Ubiquiti +2
NVD
EPSS 0% CVSS 4.8
MEDIUM This Month

A Cross-Site Scripting (XSS) vulnerability found in UniFi Network (Version 7.3.83 and earlier) allows a malicious actor with Site Administrator credentials to escalate privileges by persuading an. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ubiquiti XSS Unifi Network Application
NVD
EPSS 0% CVSS 9.0
CRITICAL Act Now

UniFi OS 3.1 introduces a misconfiguration on consoles running UniFi Network that allows users on a local network to access MongoDB. Rated critical severity (CVSS 9.0), this vulnerability is low attack complexity. No vendor patch available.

Ubiquiti Authentication Bypass Unifi Os
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

A backup file vulnerability found in UniFi applications (Version 7.3.83 and earlier) running on Linux operating systems allows application administrators to execute malicious commands on the host. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Unifi Network Application
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A Cross-site WebSocket Hijacking (CSWSH) vulnerability found in UniFi OS 2.5 and earlier allows a malicious actor to access certain confidential information by persuading a UniFi OS user to visit a. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti CSRF Unifi Os
NVD
EPSS 1% CVSS 7.5
HIGH POC This Week

A vulnerability classified as critical has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Denial Of Service Er X Firmware +1
NVD GitHub VulDB
EPSS 4% CVSS 7.3
HIGH POC This Week

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware +1
NVD GitHub VulDB
EPSS 4% CVSS 7.3
HIGH POC This Week

A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware +1
NVD GitHub VulDB
EPSS 4% CVSS 7.3
HIGH POC This Week

A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware +1
NVD GitHub VulDB
EPSS 7% CVSS 7.3
HIGH POC This Week

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware +1
NVD GitHub VulDB
EPSS 5% CVSS 7.3
HIGH POC This Week

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Er X Firmware +1
NVD GitHub VulDB
EPSS 4% CVSS 7.3
HIGH POC This Week

A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Edgemax Edgerouter Firmware
NVD GitHub VulDB
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

A vulnerability, which was classified as critical, was found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
EPSS 2% CVSS 9.8
CRITICAL Act Now

A vulnerability, which was classified as critical, has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Ubiquiti Command Injection Edgerouter X Firmware
NVD VulDB
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti Authentication Bypass Unifi Dream Machine Pro Firmware
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC This Week

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or. Rated high severity (CVSS 8.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Ubiquiti RCE Usg Firmware +9
NVD
EPSS 0% CVSS 5.9
MEDIUM POC This Month

The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes Ubiquiti airFiber AF2X Radio firmware version 3.2.2 and earlier vulnerable to firmware. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Ubiquiti Authentication Bypass Af 2X Firmware
NVD
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy