The reported issue is an Improper Access Control flaw (CWE‑284) that allows a network‑connected attacker to make unauthorized changes to UniFi OS devices. The vulnerability is limited to privileged configuration actions, meaning a malicious actor could alter device settings, network parameters, or service configurations, potentially enabling further compromise or denial of service. The flaw does not directly grant arbitrary code execution but provides a dangerous level of control over the device’s operation.

The affected systems are Ubiquiti Inc. devices that run UniFi OS, including the EFG, Express 7, UCG‑Fiber, UCG‑Industrial, UCG‑Max, UCG‑Ultra, UDM, UDM‑Beast, UDM‑Pro, UDM‑Pro‑Max, UDM‑SE, UDR, UDR‑5G, UDR7, and UDW line products. No specific firmware or software version numbers are listed in the current disclosure, so any UniFi OS deployment may be impacted.

The vulnerability is rated with a CVSS score of 8.1, indicating high severity. EPSS information is not available, and the issue is not in the CISA KEV catalog. The attack vector is inferred to be network‑borne: the attacker must have access to the network segment where the UniFi OS device resides. From the description, local or remote (over unsecured WAN) access to the management interfaces can be used to exercise the unauthorized changes. Because improper access controls allow configuration modification, the risk includes potential service disruption, network re‑routing, or further lateral movement within the infrastructure.