28
CVEs
15
Critical
8
High
0
KEV
0
PoC
10
Unpatched C/H
46.4%
Patch Rate
0.2%
Avg EPSS
Severity Breakdown
CRITICAL
15
HIGH
8
MEDIUM
5
LOW
0
Monthly CVE Trend
Affected Products (1)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-23123 | A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a heap buffer overflow vulnerability in the UniFi Protect Cameras (Version 4.75.43. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 10.0 | 1.7% | 52 |
No patch
|
| CVE-2026-22557 | A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attackers to access arbitrary files on the underlying system and manipulate them to gain account access. This vulnerability affects Ubiquiti's UniFi Network Application with a maximum CVSS score of 10.0, indicating critical severity with network-based exploitation requiring no user interaction or privileges. The vulnerability was reported through HackerOne, suggesting responsible disclosure, though current exploitation status in the wild is not confirmed. | CRITICAL | 10.0 | 0.0% | 50 |
No patch
|
| CVE-2026-34908 | Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configuration without authentication, affecting a broad range of UniFi gateways, dream machines, NVRs, NAS units, and cloud keys. The maximum CVSS 10.0 score reflects network-reachable, unauthenticated exploitation with scope change and full confidentiality, integrity, and availability impact; no public exploit identified at time of analysis, but the authentication bypass nature elevates urgency for any UniFi management plane exposed beyond trusted segments. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-34909 | Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlying system, which can then be leveraged to take over an underlying account. The flaw carries a maximum CVSS 10.0 score reflecting unauthenticated network exploitation with scope change and full confidentiality, integrity, and availability impact across a broad fleet of UniFi gateways, cameras, NVRs, and NAS appliances. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV. | CRITICAL | 10.0 | 0.0% | 50 |
|
| CVE-2026-34910 | Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute arbitrary operating system commands by sending crafted input that bypasses validation. The flaw carries a maximum CVSS 10.0 score with scope change (S:C) impacting confidentiality, integrity, and availability, and affects a broad fleet of UniFi gateways, NVRs, NAS units, and Cloud Keys. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV. | CRITICAL | 10.0 | 0.1% | 50 |
|
| CVE-2026-22562 | Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-22563 | Critical command injection in Ubiquiti UniFi Play PowerAmp and Audio Port allows remote unauthenticated attackers to execute arbitrary commands with network access to the device management interface. Affects PowerAmp versions ≤1.0.35 and Audio Port versions ≤1.0.24. CVSS 9.8 critical severity reflects network-accessible attack with no authentication barriers. EPSS score of 0.08% (24th percentile) suggests low immediate exploitation probability despite critical scoring. Vendor-released patches av | CRITICAL | 9.8 | 0.1% | 49 |
|
| CVE-2026-22564 | Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating. | CRITICAL | 9.8 | 0.0% | 49 |
|
| CVE-2025-23116 | An Authentication Bypass vulnerability on UniFi Protect Application with Auto-Adopt Bridge Devices enabled could allow a malicious actor with access to UniFi Protect Cameras adjacent network to take. Rated critical severity (CVSS 9.6), this vulnerability is no authentication required, low attack complexity. No vendor patch available. | CRITICAL | 9.6 | 0.1% | 48 |
No patch
|
| CVE-2025-23115 | A Use After Free vulnerability on UniFi Protect Cameras could allow a Remote Code Execution (RCE) by a malicious actor with access to UniFi Protect Cameras management network. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. No vendor patch available. | CRITICAL | 9.0 | 0.6% | 46 |
No patch
|
| CVE-2026-33000 | Command injection in Ubiquiti UniFi OS devices allows a high-privileged attacker on the network to execute arbitrary operating system commands by abusing improperly validated input. The flaw carries a critical CVSS 9.1 score with scope change, indicating successful exploitation can break out of the originating security context, though no public exploit identified at time of analysis. | CRITICAL | 9.1 | 0.1% | 46 |
|
| CVE-2019-25651 | Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible. | CRITICAL | 9.0 | 0.0% | 45 |
|
| CVE-2026-22559 | Ubiquiti UniFi Network Server versions 10.1.85 and earlier are vulnerable to account takeover through improper input validation when users click malicious links in social engineering attacks. An attacker can gain unauthorized account access with high impact on confidentiality, integrity, and availability. Users should upgrade to version 10.1.89 or later to remediate this vulnerability. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2026-22558 | UniFi Network Application allows authenticated attackers to escalate privileges via NoSQL injection with high confidentiality impact. The vulnerability enables network-accessible attackers holding low-privilege credentials to exploit database queries and access sensitive information belonging to higher-privileged users or contexts. With an EPSS score of 0.03% (7th percentile) and no public exploit identified at time of analysis, real-world exploitation probability is currently assessed as low despite the 7.7 CVSS severity rating. | HIGH | 7.7 | 0.0% | 39 |
No patch
|
| CVE-2019-25652 | UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate... | HIGH | 7.7 | 0.0% | 39 |
|