Impact
An improper access control flaw (CWE-284) in UniFi OS devices allows an attacker who can reach the devices over the network to change system configuration. The vulnerability enables modification of device settings that govern network operation, thereby compromising the integrity of the device configuration and potentially affecting the network services it supports.
Affected Systems
All UniFi OS devices listed by the CNA, including EFG, ENVR, ENVR‑Core, Express 7, UCG‑Fiber, UCG‑Industrial, UCG‑Max, UCG‑Ultra, UCK, UCK‑Enterprise, UCKP, UDM, UDM‑Beast, UDM‑Pro, UDM‑Pro‑Max, UDM‑SE, UDR, UDR‑5G, UDR7, UDW, UNAS‑2, UNAS‑4, UNAS‑Pro, UNAS‑Pro‑4, UNAS‑Pro‑8, UNVR, UNVR‑G2, UNVR‑G2‑Pro, UNVR‑Instant, UNVR‑Pro, and UniFi OS Server. No specific firmware or software version information is provided, so every deployment of these devices should be treated as vulnerable.
Risk and Exploitability
The vulnerability has a CVSS score of 10, indicating the highest severity. The EPSS score is 2%, yet the issue is listed in the CISA KEV catalog, indicating that exploit code or active attacks are known. Attackers only need network access to the affected devices; no additional credentials or privileged access are required.
OpenCVE Enrichment