Description
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances.
Published: 2026-06-12
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an Improper Input Validation flaw (CWE‑20) in UniFi OS that allows an actor with network access and low privileges to send malformed input and gain higher privileges on the device. The CVE description does not state any further capabilities beyond privilege escalation, but an attacker who has recovered elevated rights would be able to modify device configuration or otherwise hijack the device.

Affected Systems

The flaw affects any Ubiquiti Inc product that runs UniFi OS, including the EFG, ENVR, Express, UCG‑Fiber, UCG‑Industrial, UCK, UDM, UDR, UDW, UNAS‑2, UNAS‑4, UNAS‑Pro, UNVR, UNVR‑G2, UNVR‑Instant, and the UniFi OS Server. Specific firmware versions are not enumerated in the advisory; all devices that are intended to run the vulnerable UniFi OS release should be viewed as at risk.

Risk and Exploitability

The high CVSS score of 9.9 indicates critical severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only network proximity and low privileges, the barrier to exploitation is low; any user who can reach the device on the network and has minimal privileges could exploit the flaw. This the likely vector for exploitation, as inferred from the description of network access being required.

Generated by OpenCVE AI on June 12, 2026 at 04:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch that addresses the privilege escalation flaw.
  • Restrict network access to UniFi OS devices using VLAN segmentation or firewall rules to limit exposure to trusted hosts.
  • Monitor device logs for anomalous input patterns and disable unused services or ports that may be leveraged by attackers.

Generated by OpenCVE AI on June 12, 2026 at 04:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Improper Input Validation in UniFi OS Devices

Fri, 12 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Description A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances.
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-06-12T02:27:43.612Z

Reserved: 2026-05-19T15:00:09.320Z

Link: CVE-2026-47369

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-12T04:17:06.513

Modified: 2026-06-12T04:17:06.513

Link: CVE-2026-47369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T05:00:17Z

Weaknesses
  • CWE-20

    Improper Input Validation