Executive Summary
A critical command injection vulnerability (CVE-2026-47370) has been disclosed in Ubiquiti UniFi OS, affecting devices and instances running the UniFi OS platform. The vulnerability carries a CVSS score of 9.9 (Critical) and allows a malicious actor with network access and low privileges to exploit improper input validation to execute arbitrary commands within UniFi OS devices or instances.
CVSS Score: 9.9 (Critical) Published: 2026-06-12 Related CVE: CVE-2026-47369 (Privilege Escalation in UniFi OS — same disclosure batch)
This is the second critical UniFi OS vulnerability disclosed on 2026-06-12, alongside CVE-2026-47369 (privilege escalation). Together, they represent a severe attack surface in one of the most widely deployed prosumer and enterprise network management platforms.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-47370 |
| CVSS Score | 9.9 (Critical) |
| Type | Command Injection (Improper Input Validation) |
| Attack Vector | Network |
| Privileges Required | Low |
| User Interaction | None |
| Affected Platform | UniFi OS (Ubiquiti devices and instances) |
| Published | 2026-06-12 |
Affected Products
| Product | Component | Status |
|---|---|---|
| UniFi Dream Machine (all models) | UniFi OS | Vulnerable — apply latest firmware |
| UniFi Dream Router | UniFi OS | Vulnerable — apply latest firmware |
| UniFi Cloud Gateway | UniFi OS | Vulnerable — apply latest firmware |
| UniFi OS Instances (self-hosted) | UniFi OS | Vulnerable — apply latest update |
Technical Details
Command Injection in Network Appliances
Command injection in network appliances is especially dangerous because these devices often run as root or with elevated OS privileges, sit at critical network chokepoints, and are rarely monitored with the same rigor as servers. An attacker who achieves command injection on a UniFi OS device can manipulate all traffic passing through it.
How CVE-2026-47370 Works
The vulnerability stems from improper input validation within UniFi OS's internal processing of user-supplied parameters. These parameters are passed to OS-level command execution contexts without adequate sanitization — allowing an attacker to inject additional shell metacharacters or command sequences.
1. Attacker with low-privilege network access sends crafted input to a vulnerable UniFi OS endpoint
2. UniFi OS processes the input and passes it to an internal command execution routine
3. Shell metacharacters in the input trigger execution of attacker-controlled commands
4. Commands execute within UniFi OS context (typically elevated privileges)
5. Attacker achieves full control of the UniFi device at the OS levelRelationship to CVE-2026-47369
CVE-2026-47369 enables privilege escalation within UniFi OS, while CVE-2026-47370 enables command injection. When chained:
CVE-2026-47369 (Privilege Escalation) → CVE-2026-47370 (Command Injection)
= Full unauthenticated-equivalent OS-level takeover from any low-privilege accountWhy CVSS 9.9?
- Network attack vector with low privilege requirement
- No user interaction needed
- Command execution within UniFi OS affects the full device management plane
- Near-complete confidentiality, integrity, and availability impact across the device and managed network
Impact Assessment
| Impact Area | Description |
|---|---|
| Arbitrary OS Command Execution | Execute any command within UniFi OS with elevated privileges |
| Network Policy Manipulation | Modify firewall rules, routing, DNS, or VPN configurations |
| Traffic Interception | Configure packet capture or port mirroring to intercept all network traffic |
| Persistence | Add cron jobs, SSH keys, or startup scripts for long-term access |
| Lateral Movement | Access all network segments routed through the device |
| Combined Exploit Chain | When chained with CVE-2026-47369, enables full takeover from a single low-privilege account |
Recommendations
Immediate Actions
- Apply Ubiquiti firmware updates — check UniFi OS update settings for the latest available patch
- Restrict management plane access — ensure UniFi OS is not reachable from untrusted networks
- Audit for signs of exploitation — review OS-level command history and UniFi audit logs
- Treat both CVE-2026-47369 and CVE-2026-47370 as a combined risk — patch addresses both
Mitigation Until Patched
- Place UniFi management interface behind a VPN or jump host
- Block TCP 443, 8080, 8443 to UniFi devices from untrusted subnets at a perimeter firewall
- Monitor for unusual command execution (if OS-level logging is accessible)
- Consider temporarily disabling remote management features if not needed
- Apply network-level egress controls to detect C2 callbacks from the UniFi deviceDetection Indicators
| Indicator | Description |
|---|---|
| Shell metacharacters in UniFi OS API request logs | Exploitation attempt signatures |
| Unexpected cron jobs or startup scripts on the device | Post-exploitation persistence |
| New SSH authorized_keys entries on the device | Backdoor installation |
| Unusual egress connections from the UniFi device | C2 or data exfiltration |
| Unexpected DNS resolver changes | Attacker redirecting DNS traffic |
| UniFi audit log entries showing unauthorized config changes | Confirmed post-exploitation activity |
Post-Remediation Checklist
- Confirm UniFi OS firmware is updated to the patched version (check Ubiquiti advisory for version details)
- Review OS-level command history on the device if accessible
- Audit UniFi configuration for unauthorized changes to firewall, routing, DNS, or VPN
- Rotate all UniFi credentials and Ubiquiti SSO account passwords
- Verify no unauthorized SSH keys or cron jobs exist on the device
- Confirm network segmentation is correct and management access is restricted
- Review firewall/IDS logs for exploitation attempts prior to patching