Unifi Access Application
Monthly
Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.
Arbitrary file disclosure in Ubiquiti's UniFi Access Application allows a network-adjacent, unauthenticated attacker to read files on the underlying host via path traversal (CWE-22), carrying a CVSS 8.6 rating driven by a scope change and high confidentiality impact. The flaw was reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Privilege escalation in Ubiquiti's UniFi Access Application allows an attacker who already holds high privileges and network reachability to break out and gain elevated control of the underlying host device. The flaw is an improper access control issue (CWE-284) tagged as an authentication bypass, carrying a CVSS 9.1 (Critical) rating driven largely by its scope-changing impact. No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV.
Command injection in Ubiquiti's UniFi Access Application lets a low-privileged attacker with network reach run arbitrary OS commands on the underlying host device, escaping the application into the operating system (CVSS 9.9, scope-changed). Improper input validation (CWE-20) means attacker-supplied data reaches a shell context; there is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV. Reported through HackerOne and addressed in Ubiquiti Security Advisory Bulletin 066.