CVE-2026-47367: A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in UID Enterprise Agent to execute a Command Injection on the host device.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 1.61.4
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Command injection via improper input validation in Ubiquiti UID Enterprise Agent. The vulnerability is reachable over the network and requires only a low-privilege account, with no victim interaction needed. Successful exploitation gives an attacker full command execution on the host device, with high impact to confidentiality, integrity, and availability. A patched-image rebuild at version 1.61.4 is available on HarborGuard for environments running an affected version.
HarborGuard Coverage
Detection of CVE-2026-47367 is available across every HarborGuard environment; the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle UID Enterprise Agent below version 1.61.4.
AvailableTriage is available with CVSS v3.1 scoring applied at a 9.9 Critical severity, weighted against each environment's compliance policy; alerts are routed to the appropriate team inbox within the customer org based on policy configuration.
AvailableA patched-image rebuild at UID Enterprise Agent version 1.61.4 becomes available on HarborGuard for any image found to include an affected version. For customers with auto-remediation enabled, HarborGuard performs the rebuild, runs a regression test, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the UID Enterprise Agent service over the network; no physical or local access is needed.
- AuthenticationRequired
A valid low-privilege account is sufficient; no administrative or elevated credentials are required.
- Victim interactionNot required
No user action or social engineering is needed; the attacker can trigger the vulnerability directly.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, memory layout, or other environmental factors.
Blast Radius
- An attacker executes arbitrary operating system commands on the host device running UID Enterprise Agent.
- All data accessible to the agent process is exposed, including stored credentials, tokens, and configuration files.
- An attacker can modify, delete, or corrupt files and system state on the host.
- The agent process and the underlying host service can be crashed or made unavailable.
How HarborGuard Handles This
Available on HarborGuard: images containing UID Enterprise Agent versions below 1.61.4 are flagged automatically upon CVE ingestion. For customers with auto-remediation enabled, a rebuild at version 1.61.4 is queued, a regression test run is executed against the rebuilt image, and a PR is opened against affected workloads. The median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes for environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, the finding is surfaced in the HarborGuard dashboard at Critical severity so engineering teams can prioritize the manual upgrade to 1.61.4. Given the network-exposed, low-privilege attack path, applying the patch promptly is strongly advised; in the interim, network policy controls that restrict access to the agent's listening port to trusted sources can reduce exposure.
Fix available
- Ubiquiti Inc / UID Enterprise Agent< 1.61.4 (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H