CVE-2026-47370: A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances
A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances.
Metrics
- CVSS v3.1
- 9.9
- Severity
- CRITICAL
- Fixed in
- 4.0.15
- Affected Products
- 32
HarborGuard Analysis
Synopsis
A command injection vulnerability caused by improper input validation affects multiple Ubiquiti devices running UniFi OS, including the UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, and Express. The vulnerability is reachable over the network by an attacker holding any low-privilege account, with no victim interaction required, and carries a CVSS 9.9 critical score due to its scope-changing impact. Successful exploitation gives the attacker arbitrary command execution on the affected device, with full read, write, and availability impact extending beyond the vulnerable component. Patched-image rebuilds at versions 4.0.15 and 5.1.15 are available on HarborGuard for environments running affected versions.
HarborGuard Coverage
Detection of CVE-2026-47370 is available across every HarborGuard environment, with the CVE ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from UniFi OS base layers. Any image in a customer registry or CI/CD pipeline carrying an affected UniFi OS version below 4.0.15 or 5.1.15 is flagged automatically.
AvailableHarborGuard scores this finding at CVSS 9.9 Critical and surfaces it at the top of the finding queue for each affected environment. Per-environment compliance policy weighting is applied before routing the alert to the appropriate team inbox within the customer organization.
AvailableA patched-image rebuild targeting UniFi OS Server and UDM-family devices at version 5.1.15 and Express at version 4.0.15 becomes available on HarborGuard once the upstream fix is confirmed. For customers who opt into auto-remediation, HarborGuard triggers an automated rebuild, runs the regression test suite against the new image, and opens a pull request against affected workloads.
AvailableExploit Conditions
- Network reachabilityRequired
The attacker must reach the UniFi OS management interface over the network; the service must be exposed to the attacker's network segment.
- AuthenticationRequired
Any low-privilege account on the device is sufficient; no administrative or elevated credentials are needed beyond basic login access.
- Victim interactionNot required
No action from a logged-in user or administrator is required to trigger the vulnerability.
- Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.
Blast Radius
- The attacker executes arbitrary operating system commands on the affected UniFi OS device with the privileges of the vulnerable process.
- Confidential data stored on the device, including network configuration, credentials, and logs, is fully readable.
- The attacker can modify or delete persisted configuration data, potentially altering network routing, firewall rules, or access controls.
- The scope change (S:C) means impact can extend beyond the UniFi OS instance itself to other systems on the managed network that trust the device.
How HarborGuard Handles This
Available on HarborGuard: detection fires within minutes of advisory ingestion for any image in a customer registry or pipeline that carries an affected UniFi OS version. Given the critical severity of this CVE, the median time from publication to a merged patch PR for environments with auto-remediation enabled is around 90 minutes. For customers who opt into auto-remediation, HarborGuard rebuilds the image at the patched version (5.1.15 for UDM-family and UniFi OS Server, 4.0.15 for Express), runs regression tests, and opens a pull request against affected workloads. Where compliance policy does not permit auto-remediation, the finding is routed to the appropriate team inbox with full CVSS context so engineers can act manually. Customers who cannot patch immediately should consider isolating UniFi OS management interfaces behind strict network policy rules to limit which source addresses can reach the management plane.
Fix available
- Ubiquiti Inc / UniFi OS Server< 5.1.15 (from 0)
- Ubiquiti Inc / Express< 4.0.15 (from 0)
- Ubiquiti Inc / UDM< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-SE< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Pro-Max< 5.1.15 (from 0)
- Ubiquiti Inc / UDM-Beast< 5.1.15 (from 0)
- Ubiquiti Inc / EFG< 5.1.15 (from 0)
- Ubiquiti Inc / UDW< 5.1.15 (from 0)
- Ubiquiti Inc / UDR< 5.1.15 (from 0)
- Ubiquiti Inc / UDR7< 5.1.15 (from 0)
- Ubiquiti Inc / UDR-5G< 5.1.15 (from 0)
- Ubiquiti Inc / Express 7< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-Instant< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-G2< 5.1.15 (from 0)
- Ubiquiti Inc / UNVR-G2-Pro< 5.1.15 (from 0)
- Ubiquiti Inc / ENVR< 5.1.15 (from 0)
- Ubiquiti Inc / ENVR-Core< 5.1.15 (from 0)
- Ubiquiti Inc / UNAS-2< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-4< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro-4< 5.1.16 (from 0)
- Ubiquiti Inc / UNAS-Pro-8< 5.1.16 (from 0)
- Ubiquiti Inc / UCKP< 5.1.15 (from 0)
- Ubiquiti Inc / UCK< 5.1.15 (from 0)
- Ubiquiti Inc / UCK-Enterprise< 5.1.15 (from 0)
- Ubiquiti Inc / UCG-Ultra< 5.1.15 (from 0)
- Ubiquiti Inc / UCG-Max< 5.1.15 (from 0)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H