An attacker who can reach the network and possesses low‑privilege credentials may send specially crafted input to a UniFi OS device, leading the system to execute arbitrary shell commands on the device. The vulnerability is an instance of Improper Input Validation (CWE‑20) and can compromise the confidentiality, integrity, and availability of the affected device, potentially allowing the attacker to gain full administrative control or to pivot to other devices on the network. The impact is limited to devices that process the malicious input, but the compromised device could serve as an entry point to a larger network.

The affected products include several Ubiquiti Inc. systems that run UniFi OS, such as the EFG, ENVR, Express, UCG, UCK, UDM, UDR, UDW, UNAS, UNVR, and UniFi OS Server families. The specific firmware or software versions are not enumerated in the advisory, so any installation running UniFi OS that exposes the vulnerable input handling code is potentially at risk.

The CVSS score of 9.9 indicates a critical severity, while the EPSS score is unavailable, so it is unclear how often the vulnerability is currently exploited. It is not listed in the CISA KEV catalog, but the high CVSS and the fact that it requires only network access and low privileges make it a high‑risk threat. A likely attack vector involves an actor on the same local network or remotely with VPN or other authorized access, sending crafted payloads to the vulnerable endpoint. If successful, the attacker could run arbitrary commands, install malware, or exfiltrate data. The exploit would succeed without needing elevated privileges or prior compromise beyond low‑privilege network access, making it a serious threat to any compromised network segment.