CVE: Multiple — see references | CVSS Range: 7.5 – 9.9 (Critical) | Vendor: Ubiquiti | Product: UniFi OS | Key CVEs: CVE-2026-47369 (CVSS 9.9, command injection), CVE-2026-47370 (CVSS 9.9, command injection), CVE-2026-54402 (CVSS 9.9, command injection), CVE-2026-47368 (CVSS 8.6, path traversal), CVE-2026-54403 (CVSS 8.6, path traversal → auth bypass), CVE-2026-54404 (CVSS 8.8, SQL injection), plus SSRF, CORS misconfiguration, access control vulnerabilities
What Is the Vulnerability
Ubiquiti has released security updates patching 11 critical vulnerabilities in UniFi OS, including multiple maximum-severity command injection flaws. The most severe (CVE-2026-47369, CVE-2026-47370, CVE-2026-54402 — all CVSS 9.9) allow a low-privileged attacker with network access to execute arbitrary commands on the host device via improper input validation. Additional vulnerabilities include path traversal allowing data exfiltration and authentication bypass (CVE-2026-47368, CVE-2026-54403), SQL injection enabling privilege escalation (CVE-2026-54404), and SSRF (CVE-2026-54401). This is the largest single-patch Ubiquiti security release in recent memory and suggests a significant internal security audit.
Versions Affected
- Ubiquiti UniFi OS — specific device firmware versions per Ubiquiti security advisory
These vulnerabilities affect various UniFi devices including gateways, switches, access points, and cloud keys. These are separate from the existing CISA KEV-listed UniFi vulnerabilities (CVE-2026-34908/909/910) which remain unpatched on many installations.
Exploited?
No confirmed exploitation reported at time of publication. Ubiquiti released patches proactively. However, given the severity (multiple CVSS 9.9) and the nature of command injection vulnerabilities, exploitation is expected once technical details circulate.
Fix
Ubiquiti has released firmware updates addressing all 11 vulnerabilities.
- Primary fix: Update UniFi OS to the latest patched firmware version per Ubiquiti advisory.
- Workaround: Restrict network access to UniFi management interfaces to trusted IPs only.
Recommendations
- Apply firmware updates immediately: Prioritise command injection and path traversal vulnerabilities.
- Restrict network access: Ensure UniFi management interfaces are not exposed to untrusted networks.
- Patch existing KEV CVEs: CVE-2026-34908/909/910 remain 12 days overdue — patch them alongside these new updates.
- Audit configurations: Review UniFi device configurations for any signs of unauthorized changes.
References
- BleepingComputer: Ubiquiti UniFi OS
- Ubiquiti Security Advisory (July 2026)
Part of the Vulnerability Intelligence series on threat-modeling.com. July 8, 2026 Report.
