Impact
The vulnerability is an Improper Input Validation flaw (CWE‑20) that allows a malicious actor with network access to supply crafted data to a UniFi OS device and cause it to execute arbitrary operating‑system commands with device privileges. This flaw enables the execution of commands supplied by an attacker, potentially compromising the device's integrity and confidentiality.
Affected Systems
Affected products include Ubiquiti Inc EFG, Ubiquiti Inc ENVR, Ubiquiti Inc ENVR‑Core, Ubiquiti Inc Express 7, Ubiquiti Inc UCG‑Fiber, Ubiquiti Inc UCG‑Industrial, Ubiquiti Inc UCG‑Max, Ubiquiti Inc UCG‑Ultra, Ubiquiti Inc UCK, Ubiquiti Inc UCK‑Enterprise, Ubiquiti Inc UCKP, Ubiquiti Inc UDM, Ubiquiti Inc UDM‑Beast, Ubiquiti Inc UDM‑Pro, Ubiquiti Inc UDM‑Pro‑Max, Ubiquiti Inc UDM‑SE, Ubiquiti Inc UDR, Ubiquiti Inc UDR‑5G, Ubiquiti Inc UDR7, Ubiquiti Inc UDW, Ubiquiti Inc UNAS‑2, Ubiquiti Inc UNAS‑4, Ubiquiti Inc UNAS‑Pro, Ubiquiti Inc UNAS‑Pro‑4, Ubiquiti Inc UNAS‑Pro‑8, Ubiquiti Inc UNVR, Ubiquiti Inc UNVR‑G2, Ubiquiti Inc UNVR‑G2‑Pro, Ubiquiti Inc UNVR‑Instant, Ubiquiti Inc UNVR‑Pro, and Ubiquiti Inc UniFi OS Server. No specific version information is reported.
Risk and Exploitability
The flaw has a CVSS score of 10, indicating maximum severity. The EPSS score of 79% demonstrates a high likelihood of exploitation, and the vulnerability is listed in the CISA KEV catalog. The likely attack vector is remote access via the device’s management interfaces, inferred from the requirement that the attacker must have network access to deliver crafted input. Successful exploitation would enable the attacker to run arbitrary commands on the device with the privileges granted to the system process handling the input.
OpenCVE Enrichment