Impact
A flaw in UniFi OS devices allows a malicious actor who can access the local network and has high privileges to send specially crafted input to the system. The improper validation of that input enables the attacker to inject arbitrary operating‑system commands, resulting in the execution of any command with the service’s elevated privileges. The consequence is full compromise of the affected device and potential lateral movement across the network.
Affected Systems
The vulnerability is present in Ubiquiti Inc. UniFi OS Servers. No specific firmware or software version information is disclosed, so all UniFi OS Server instances that have not applied a vendor fix are potentially affected. It is uncertain which specific versions are affected; the lack of version information means the statement that all UniFi OS Servers are potentially vulnerable is inferred.
Risk and Exploitability
The CVSS score of 9.1 indicates critical severity, while the EPSS score of 1% reflects a low but non‑zero exploitation probability. The flaw requires that the attacker be on the same network segment and possess high‑privilege credentials—a scenario that is common in many deployments. Likely attack vector is a network‑based attacker with elevated privileges who injects malformed input. If those prerequisites are met, the command injection allows code execution with system privileges, enabling full device compromise and potential spread to other network assets. The vulnerability is not listed in the CISA KEV catalog, but the severity makes immediate remediation a priority.
OpenCVE Enrichment