The vulnerability is an Improper Input Validation flaw in UniFi OS devices that allows a malicious actor who has access to the local network to supply crafted input to the device and cause it to execute arbitrary operating‑system commands with device privileges. This flaw permits the device to run commands supplied by an attacker, leading to full compromise of the affected device.

Affected products include Ubiquiti Inc EFG, Ubiquiti Inc ENVR, Ubiquiti Inc ENVR‑Core, Ubiquiti Inc Express 7, Ubiquiti Inc UCG‑Fiber, Ubiquiti Inc UCG‑Industrial, Ubiquiti Inc UCG‑Max, Ubiquiti Inc UCG‑Ultra, Ubiquiti Inc UCK, Ubiquiti Inc UCK‑Enterprise, Ubiquiti Inc UCKP, Ubiquiti Inc UDM, Ubiquiti Inc UDM‑Beast, Ubiquiti Inc UDM‑Pro, Ubiquiti Inc UDM‑Pro‑Max, Ubiquiti Inc UDM‑SE, Ubiquiti Inc UDR, Ubiquiti Inc UDR‑5G, Ubiquiti Inc UDR7, Ubiquiti Inc UDW, Ubiquiti Inc UNAS‑2, Ubiquiti Inc UNAS‑4, Ubiquiti Inc UNAS‑Pro, Ubiquiti Inc UNAS‑Pro‑4, Ubiquiti Inc UNAS‑Pro‑8, Ubiquiti Inc UNVR, Ubiquiti Inc UNVR‑G2, Ubiquiti Inc UNVR‑G2‑Pro, Ubiquiti Inc UNVR‑Instant, Ubiquiti Inc UNVR‑Pro, and Ubiquiti Inc UniFi OS Server. No specific version information is reported.

The flaw has a CVSS score of 10, indicating maximum severity. The EPSS score is 18%, suggesting a moderate probability of exploitation; it is not listed in the CISA KEV catalog. The description indicates that the attacker must have network access to reach the affected input handling code; this is the likely attack vector. Because the flaw allows arbitrary command execution, exploitation would enable an attacker to take complete control of a device if the attacker can reach it.