A critical command injection vulnerability in Ubiquiti's UID Enterprise Agent allows low-privileged network attackers to execute arbitrary code on host devices.

The vulnerability is caused by improper input validation within the agent, which can be leveraged by a malicious actor with low-level network access to perform command injection on the host device.

With a CVSS score of 9.9, this flaw poses an extreme risk to the integrity and availability of managed network devices. An attacker could leverage this access to escalate privileges, pivot within the network, or disrupt critical business services, resulting in significant operational downtime or unauthorized access to sensitive network configurations.

Immediate Action: Update the UID Enterprise Agent to version 1.61.4 or later immediately.

Proactive Monitoring: Monitor network traffic for unusual commands originating from the UID agent and review device system logs for unexpected process execution.

Compensating Controls: Restrict network access to the UID Enterprise Agent to trusted management subnets to limit the exposure of the vulnerable interface to unauthorized users.

Public Exploit Available: False

Given the critical CVSS severity, organizations should treat this update as a high-priority task. Applying the patch to version 1.61.4 is the only definitive way to mitigate the risk of command injection on host devices.