Description
A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Published: 2026-05-22
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in UniFi OS devices allows a malicious actor who can access the local network and has high privileges to send specially crafted input to the system. The improper validation of that input enables the attacker to inject arbitrary operating‑system commands, resulting in the execution of any command with the service’s elevated privileges. The consequence is full compromise of the affected device and potential lateral movement across the network.

Affected Systems

The vulnerability is present in Ubiquiti Inc. UniFi OS Servers. No specific firmware or software version information is disclosed, so all UniFi OS Server instances that have not applied a vendor fix are potentially affected.

Risk and Exploitability

The CVSS score of 9.1 indicates critical severity. The EPSS score is not available, but the lack of a KEV listing does not diminish the urgency. The flaw requires the attacker to be on the same network segment and possess high‑privilege credentials, which are common in typical deployment scenarios. If the attacker can achieve that foothold, command injection can be executed, leading to full system compromise and potential spread to other network assets.

Generated by OpenCVE AI on May 22, 2026 at 02:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review Ubiquiti’s community or support pages for a firmware update that fixes improper input validation.
  • When a patch is released, install it on all UniFi OS Servers immediately.
  • Segment the network so that only trusted devices and administrators have high‑privilege access to UniFi OS Servers, limiting the impact of a compromised account.
  • Enable logging and monitor for anomalous command‑execution patterns on UniFi OS Servers to detect exploitation attempts.

Generated by OpenCVE AI on May 22, 2026 at 02:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 22 May 2026 02:45:00 +0000

Type Values Removed Values Added
Title Command Injection via Improper Input Validation in UniFi OS Devices

Fri, 22 May 2026 01:30:00 +0000

Type Values Removed Values Added
Description A malicious actor with access to the network and high privileges could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-05-22T00:43:49.138Z

Reserved: 2026-03-17T15:00:07.747Z

Link: CVE-2026-33000

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-22T02:16:33.933

Modified: 2026-05-22T02:16:33.933

Link: CVE-2026-33000

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-22T02:30:16Z

Weaknesses