CVE-2026-47369: A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 4.0.15
- Affected Products
- 32
HarborGuard Analysis
Synopsis
An improper input validation vulnerability in Ubiquiti UniFi OS allows a network-adjacent attacker with only a low-privilege account to escalate privileges on affected devices and instances. The vulnerability is reachable over the network, requires no victim interaction, and carries a CVSS 9.9 Critical score due to its scope-changing, full-system impact. Successful exploitation gives the attacker full control over confidentiality, integrity, and availability of the affected UniFi OS device. Patched-image rebuilds at versions 4.0.15, 5.1.15, and 5.1.16 are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection is available across every HarborGuard environment: CVE-2026-47369 is ingested from upstream advisory feeds within minutes of publication and matched against customer images and pipeline artifacts, including custom-built images derived from affected UniFi OS versions. Any image layer carrying a vulnerable UniFi OS release will be flagged automatically.
AvailableHarborGuard is capable of scoring this CVE at CVSS 9.9 Critical and weighting that score against each customer environment's compliance policy to determine urgency. Triage routing is available to deliver findings to the appropriate team inbox within each customer organization based on affected workload ownership.
AvailableA patched-image rebuild at UniFi OS versions 4.0.15, 5.1.15, or 5.1.16 becomes available on HarborGuard as soon as the fix versions are resolved against the affected image manifests. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test suite, and opens a PR against affected workloads automatically.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must be able to reach the UniFi OS service over the network; the CVSS vector specifies AV:N, meaning no local or physical access is required.
- AuthenticationRequired
The attacker needs a valid low-privilege account on the device or instance; PR:L means any standard user credential is sufficient, but unauthenticated access alone is not enough.
- Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; UI:N means the attacker can trigger the vulnerability entirely on their own.
- Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and does not depend on race conditions, special memory layout, or other variable environmental factors.
Blast Radius
- The attacker gains full read access to all data on the UniFi OS device, including stored credentials, network configuration, and logs.
- The attacker can write or modify any data on the device, including firewall rules, routing tables, and user account definitions.
- The attacker can crash or fully disable the UniFi OS service, taking down network management and any dependent infrastructure.
- Because the CVSS vector specifies a scope change (S:C), the attacker can pivot beyond the initially compromised device and affect other systems in the same trust boundary.
How HarborGuard Handles This
Available on HarborGuard: detection for CVE-2026-47369 is active across all customer scanning environments, with ingestion from upstream feeds and image matching running continuously. For environments running any affected UniFi OS release across the eight listed product lines, a patched-image rebuild at version 4.0.15 (Express) or 5.1.15/5.1.16 (all other UniFi OS products) is available as soon as the fix is resolved against the relevant image manifest. For customers who opt into auto-remediation, HarborGuard will rebuild the image, execute a regression test run, and open a pull request against affected workloads; for Critical-severity issues, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy does not permit auto-remediation, HarborGuard surfaces the finding with full CVSS context and fix-version detail so teams can act manually. Given the Critical score and scope-changing impact, prioritizing this fix ahead of lower-severity queue items is strongly warranted.
Fix available
- Ubiquiti Inc / UniFi OS Server< 5.1.15 (from 0)
- Ubiquiti Inc / Express< 4.0.15 (from 0)
- Ubiquiti Inc / UDM< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-SE< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Pro-Max< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Beast< 5.1.15 (from 0)
- Ubiquiti Inc / EFG< 5.1.15 (from 0)
- Ubiquiti Inc / UDW< 5.1.15 (from 0)
- Ubiquiti Inc / UDR< 5.1.15 (from 0)
- Ubiquiti Inc / UDR7< 5.1.15 (from 0)
- Ubiquiti Inc / UDR-5G< 5.1.15 (from 0)
- Ubiquiti Inc / Express 7< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-Instant< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-G2< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-G2-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / ENVR< 5.1.15 (from 0)
- Ubiquiti Inc / ENVR-Core< 5.1.15 (from 0)
- Ubiquiti Inc / UNAS-2< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-4< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro-4< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro-8< 5.1.16 (from 0)
- Ubiquiti Inc / UCKP< 5.1.15 (from 0)
- Ubiquiti Inc / UCK< 5.1.15 (from 0)
- Ubiquiti Inc / UCK-Enterprise< 5.1.15 (from 0)
- Ubiquiti Inc / UCG-Ultra< 5.1.15 (from 0)
- Ubiquiti Inc / UCG-Max< 5.1.15 (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H