Description
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device.
Published: 2026-06-12
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Input Validation flaw in Ubiquiti's UID Enterprise Agent that allows an attacker with network access and low privileges to trigger command injection on the host. This can lead to unauthorized execution of arbitrary commands, potentially compromising confidentiality, integrity, and availability of the device. The weakness corresponds to CWE-20, reflecting insufficient validation of input before command execution.

Affected Systems

Vendors: Ubiquiti Inc. Product: UID Enterprise Agent. No specific version information is provided, so all installations of this agent are potentially affected until an update is applied.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity. EPSS is not available, so the current exploitation likelihood cannot be quantified. The vulnerability is not in the CISA KEV catalog, but its high severity and command‑execution capability suggest it could be a target for attackers in a compromised network. The likely attack vector is the network path that a low‑privileged user can reach from the device’s network segment, sending crafted inputs that trigger the flaw. Attackers would only need to send crafted packets or inputs over the network to accomplish the injection, requiring only low privileges on the device, which makes exploitation more feasible compared to requiring administrative access.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest security patch for UID Enterprise Agent from Ubiquiti.
  • If a patch is not yet available, isolate the affected device from insecure network segments or apply network‑level filtering to block inbound traffic on the vulnerable ports.
  • Monitor logs for suspicious command execution or abnormal process creation on the device.

Generated by OpenCVE AI on June 12, 2026 at 04:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.480Z

Reserved: 2026-05-19T15:00:09.320Z

Link: CVE-2026-47367

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:06.200

Modified: 2026-06-12T04:17:06.200

Link: CVE-2026-47367

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T05:00:17Z

Weaknesses
  • CWE-20

    Improper Input Validation