CVE-2026-47370
9.9
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Summary
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ubiquiti Inc | UniFi OS Server | 0 < 5.1.15 | affected |
| Ubiquiti Inc | Express | 0 < 4.0.15 | affected |
| Ubiquiti Inc | UDM | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDM-Pro | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDM-SE | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDM-Pro-Max | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDM-Beast | 0 < 5.1.15 | affected |
| Ubiquiti Inc | EFG | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDW | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDR | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDR7 | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UDR-5G | 0 < 5.1.15 | affected |
| Ubiquiti Inc | Express 7 | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNVR | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNVR-Pro | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNVR-Instant | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNVR-G2 | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNVR-G2-Pro | 0 < 5.1.15 | affected |
| Ubiquiti Inc | ENVR | 0 < 5.1.15 | affected |
| Ubiquiti Inc | ENVR-Core | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UNAS-2 | 0 < 5.1.16 | affected |
| Ubiquiti Inc | UNAS-4 | 0 < 5.1.16 | affected |
| Ubiquiti Inc | UNAS-Pro | 0 < 5.1.16 | affected |
| Ubiquiti Inc | UNAS-Pro-4 | 0 < 5.1.16 | affected |
| Ubiquiti Inc | UNAS-Pro-8 | 0 < 5.1.16 | affected |
| Ubiquiti Inc | UCKP | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCK | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCK-Enterprise | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCG-Ultra | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCG-Max | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCG-Fiber | 0 < 5.1.15 | affected |
| Ubiquiti Inc | UCG-Industrial | 0 < 5.1.15 | affected |
Weaknesses
- CWE-20: CWE-20 Improper Input Validation
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.