CVE-2026-55116

Ubiquiti · Dream Machines

An improper access control flaw in Ubiquiti Dream Machines running UniFi OS allows network-adjacent attackers to make unauthorized configuration changes to the device.

Executive summary

A critical access control vulnerability in Ubiquiti Dream Machines allows unauthorized configuration changes, potentially leading to a complete compromise of network infrastructure.

Vulnerability

The vulnerability stems from improper access control logic within UniFi OS, which, under specific network configurations, allows an attacker with network access to bypass intended security constraints and modify device settings without proper authorization.

Business impact

With a CVSS score of 9.0, this vulnerability allows for the total subversion of network security policies managed by the Dream Machine. Successful exploitation could result in the disabling of firewalls, redirection of traffic, or the creation of persistent backdoors, leading to significant operational disruption and data exposure.

Remediation

Immediate Action: Apply the latest firmware update for Ubiquiti Dream Machines to address the access control bypass.

Proactive Monitoring: Monitor network configuration logs for unauthorized changes and audit device settings for unexpected modifications.

Compensating Controls: Implement strict network segmentation and ensure the management interface of the Dream Machine is not exposed to untrusted network segments.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the critical nature of this vulnerability in core network infrastructure, immediate patching is required. Security teams should verify that all Dream Machine devices are running the latest firmware to prevent unauthorized configuration changes that could jeopardize the entire network environment.