A high-severity command injection flaw in Ubiquiti UniFi OS allows authenticated, high-privileged users to execute arbitrary system commands.

This is a command injection vulnerability requiring a high-privileged, authenticated user on the network. The flaw arises from inadequate input validation, which allows the execution of arbitrary commands when supplied through specific system interfaces.

With a CVSS score of 9.1, this vulnerability poses a significant risk to internal security by facilitating privilege escalation or lateral movement. Even though it requires high privileges, the potential for a compromised administrative account to gain full control of the underlying OS remains a severe threat to business continuity.

Immediate Action: Update all UniFi OS devices to the latest firmware to sanitize input handling processes.

Proactive Monitoring: Audit administrative activity and review command logs for suspicious use of system utilities.

Compensating Controls: Enforce the principle of least privilege for all administrative users and implement multi-factor authentication (MFA) to prevent account compromise.

Public Exploit Available: No

Organizations should treat this as a high-priority update. Limiting the number of users with administrative access and ensuring those accounts are protected by strong authentication will significantly reduce the risk surface.