Executive Summary
A critical command injection vulnerability (CVE-2026-33000) has been disclosed in UniFi OS, the operating system powering Ubiquiti's line of network gateways, controllers, and access-point hardware. The flaw stems from improper input validation in a network-accessible component and allows a high-privileged attacker with network access to execute arbitrary OS-level commands on the underlying device.
CVSS Score: 9.1 (Critical)
Although exploitation requires high privileges, the severity remains critical because UniFi OS devices often serve as the trust anchor for entire enterprise and campus networks. A compromise of the controller exposes every managed device, client VLAN, and VPN tunnel running through the infrastructure.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-33000 |
| CVSS Score | 9.1 (Critical) |
| Type | Command Injection (Improper Input Validation) |
| Attack Vector | Network |
| Privileges Required | High |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Check Ubiquiti Security Advisories for the latest release |
Affected Products
| Product | Affected Versions | Remediation |
|---|---|---|
| UniFi OS (all devices) | All versions before the patched release | Apply latest Ubiquiti firmware immediately |
| UniFi Dream Machine / Pro / SE | Pre-patch firmware | Update via UniFi Network UI |
| UniFi Cloud Gateway | Pre-patch firmware | Update via UniFi Network UI |
| UniFi Network Server | Pre-patch firmware | Update via UniFi Network UI |
Technical Analysis
Root Cause
CVE-2026-33000 is caused by a failure to sanitize user-supplied input before passing it to an OS-level command execution function within a UniFi OS service. When a high-privileged session supplies a crafted payload to the vulnerable endpoint, the unsanitized string is executed directly by the underlying OS shell.
This class of vulnerability — command injection through improper input validation — is a well-understood attack category but remains prevalent in embedded and appliance firmware where rapid development cycles leave validation gaps.
Attack Flow
1. Attacker gains high-privileged access to UniFi OS (admin credentials via phishing,
credential stuffing, or a prior lateral movement step)
2. Attacker identifies the vulnerable network-accessible component
3. Crafted payload containing shell metacharacters is submitted to the vulnerable parameter
4. UniFi OS passes the unsanitized input directly to an OS shell command
5. Arbitrary commands execute as the service process user
6. Attacker achieves persistent access, credential harvesting, or pivoting to managed devicesWhy This Is Dangerous
UniFi OS controllers and gateways sit at a privileged position in the network:
- Full network visibility — all traffic passing through the gateway is observable
- Managed device credentials — SSH keys and admin passwords for access points, switches, and cameras
- VPN configuration — IPsec and WireGuard keys, site-to-site tunnel credentials
- RADIUS/802.1X secrets — authentication infrastructure for network access control
- VLAN segmentation control — an attacker can remove or modify VLAN isolation
- DNS and DHCP — ability to redirect all client traffic
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary OS command execution on the UniFi OS device |
| Credential Theft | Access to all credentials stored on the controller |
| Network Pivot | Full access to every managed device from the compromised controller |
| Traffic Interception | Attacker can monitor or redirect all client network traffic |
| Persistence | Install backdoors, SSH keys, or cron jobs surviving firmware reboots |
| Lateral Movement | Use stolen credentials to compromise downstream infrastructure |
Immediate Remediation
Step 1: Update UniFi OS Firmware
Apply the latest UniFi OS firmware containing the CVE-2026-33000 fix via the UniFi Network UI:
# Via UniFi Network CLI (if SSH access is available to the device)
# Check current firmware version
ubnt-device-info firmware
# Apply updates via the UniFi Network application UI:
# Settings → System → Updates → Firmware UpdateStep 2: Rotate All Admin Credentials
Assume any credentials stored on the controller may be compromised:
# Change UniFi Network admin account passwords immediately
# Rotate SSH host keys if SSH was enabled
# Rotate any API tokens or integration credentials
# Check for unauthorized admin accounts
ubnt-device-info model
# Review UI: Settings → Admins & Users → audit all accountsStep 3: Restrict High-Privileged Network Access
Until patched, restrict access to the UniFi Network management interface:
# Limit UniFi controller management port (TCP 8443, 443) to trusted management hosts only
# Apply firewall rules at the perimeter or on the controller itself
# Disable remote access (cloud portal) if not required: Settings → Remote Access → DisableStep 4: Review Audit Logs
# Review UniFi OS logs for signs of exploitation
# Check for unusual command execution, new SSH authorized_keys, or new cron entries
cat /var/log/messages | grep -i "cmd\|inject\|shell"
cat /root/.ssh/authorized_keys
crontab -lDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected outbound network connections from the controller | Potential reverse shell or C2 beacon |
| New SSH authorized_keys entries | Attacker persistence via SSH key injection |
| New cron jobs under root or service accounts | Persistent backdoor installation |
| Unusual UniFi API calls from unfamiliar IPs | Attacker activity via stolen session tokens |
| Admin account creation or privilege escalation | Post-exploitation enumeration |
Post-Remediation Checklist
- Apply firmware patch — update UniFi OS to the latest patched version immediately
- Rotate all credentials — admin passwords, SSH keys, API tokens, RADIUS secrets, VPN keys
- Audit admin accounts — remove unknown or unauthorized accounts from the controller
- Review SSH authorized_keys — remove any unfamiliar keys on the device
- Network-segment the controller — ensure management traffic is isolated to a dedicated management VLAN
- Disable unnecessary remote access — restrict cloud portal access if not required
- Enable logging — forward UniFi OS syslog to your SIEM for ongoing detection
- Inventory all UniFi OS devices — ensure all controllers, gateways, and cloud keys are patched