CVE-2026-54402
Ubiquiti · UniFi OS Server
An improper input validation vulnerability in the Ubiquiti UniFi OS Server allows authenticated low-privilege network users to execute arbitrary commands on the host device via command injection.
Executive summary
A critical command injection vulnerability in Ubiquiti UniFi OS Server permits low-privilege network attackers to gain unauthorized command execution on the host system.
Vulnerability
This vulnerability stems from improper input validation within the UniFi OS framework, enabling an authenticated attacker with low privileges to perform command injection. The flaw allows the execution of arbitrary commands with the privileges of the underlying service.
Business impact
The ability for a low-privilege user to execute arbitrary commands on the host device presents a severe risk of complete system compromise. Given the 9.9 CVSS score, this vulnerability could lead to unauthorized data exfiltration, lateral movement within the network, and total loss of device integrity, potentially disrupting business-critical network management operations.
Remediation
Immediate Action: Update the Ubiquiti UniFi OS Server to the latest available firmware/software version provided by the vendor.
Proactive Monitoring: Review system access logs for anomalous command execution patterns and monitor network traffic for unexpected outbound connections from the UniFi OS host.
Compensating Controls: Implement strict network segmentation to limit access to the UniFi OS management interface to authorized administrative segments only.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The high CVSS score reflects the severity of allowing command injection on network infrastructure equipment. Administrators should prioritize patching UniFi OS Server instances immediately to prevent potential remote code execution and subsequent full system takeover.