Introduction
Ubiquiti's latest security advisory quietly dropped five critical vulnerabilities at once, and while three of them scored a perfect CVSS 10.0, the one that should concern defenders thinking about post compromise persistence is CVE-2026-33000. This command injection flaw in UniFi OS Server, carrying a CVSS score of 9.1, allows an attacker with administrative privileges and network access to execute arbitrary operating system commands on the device, potentially achieving root level control over network infrastructure that manages gateways, switches, access points, and surveillance cameras.
The vulnerability was reported by the researcher V3rlust through Ubiquiti's HackerOne bug bounty program and disclosed on May 21, 2026, as part of Security Advisory Bulletin 064. With Censys observing 87,196 exposed UniFi Network Application hosts in recent scans, the potential blast radius of this and its companion vulnerabilities is substantial.
Technical Information
Root Cause: CWE-20 Improper Input Validation
CVE-2026-33000 is rooted in CWE-20 (Improper Input Validation), which MITRE defines as occurring when a product "does not validate or incorrectly validates input that can affect the control flow or data flow of a program." In this case, the improper validation manifests as a classic OS command injection: user supplied input reaches a system level command interpreter without adequate sanitization.
The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. Several elements of this vector are worth unpacking:
- Attack Vector (AV:N): The vulnerability is exploitable over the network, meaning any attacker who can reach the UniFi OS management interface can attempt exploitation.
- Attack Complexity (AC:L): No special conditions or race conditions are required. The injection is straightforward once the attacker has access.
- Privileges Required (PR:H): The attacker must hold elevated, administrative level privileges on the UniFi OS device or within the UniFi management ecosystem.
- Scope (S:C): The scope is "Changed," meaning successful exploitation impacts resources beyond the vulnerable component itself. This is consistent with command injection on a network gateway or controller, where compromise can cascade to managed devices and network traffic.
- Impact (C:H/I:H/A:H): All three impact dimensions are rated High, reflecting the potential for full confidentiality, integrity, and availability compromise.
Attack Flow
Based on the advisory details and the vulnerability classification, the exploitation sequence follows this pattern:
-
Prerequisite: Obtain privileged access. The attacker must first acquire administrative credentials for the UniFi OS device. This could occur through credential theft, phishing, brute force against weak passwords, or by chaining one of the three unauthenticated RCE vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) disclosed in the same bulletin.
-
Identify the vulnerable input. The attacker interacts with a management interface or API endpoint on the UniFi OS Server that accepts user input. The specific endpoint has not been publicly disclosed by Ubiquiti, consistent with their practice of limiting technical detail in advisories.
-
Inject OS commands. The attacker crafts input containing shell metacharacters or command substitution syntax (such as semicolons, pipes, backticks, or
$(...)sequences) that the application fails to sanitize or reject. -
Command execution. The unsanitized input is passed to a system level command execution function. The injected commands execute with the privileges of the UniFi OS process, which on these devices typically runs with root or equivalent permissions.
-
Post exploitation. With command execution on the device, the attacker can intercept network traffic, manipulate DNS settings, pivot laterally across managed networks, exfiltrate configuration data (including credentials for managed devices), or establish persistent backdoor access.
The Bulletin 064 Context: Chaining Risk
CVE-2026-33000 does not exist in isolation. Bulletin 064 addresses five vulnerabilities simultaneously:
| CVE ID | CVSS Score | Discoverer | Key Characteristic |
|---|---|---|---|
| CVE-2026-33000 | 9.1 | V3rlust | Command injection, requires high privileges |
| CVE-2026-34908 | 10.0 | Not specified | Unauthenticated RCE |
| CVE-2026-34909 | 10.0 | Not specified | Unauthenticated RCE |
| CVE-2026-34910 | 10.0 | John Carroll | Unauthenticated RCE |
| CVE-2026-34911 | 7.7 | Hakai Security | Access control / path traversal |
The co-occurrence of authenticated and unauthenticated flaws in the same firmware version creates a compounding risk. An attacker could use one of the three unauthenticated RCE vulnerabilities to gain initial access, then leverage CVE-2026-33000 for deeper persistence or privilege escalation on the compromised device. The "high privileges required" constraint on CVE-2026-33000 becomes far less protective when the same firmware contains three separate paths to unauthenticated remote code execution.
NVD Enrichment Status
As of the publication date, the NVD record for CVE-2026-33000 has not yet been fully enriched. CPE entries, version specific affected product mappings, and the full CVSS vector have not been published on the NVD page. The sole reference listed is the Ubiquiti Security Advisory Bulletin 064 URL, sourced from HackerOne.
Patch Information
Ubiquiti has released patched firmware as part of Security Advisory Bulletin 064, published on May 21, 2026. The fix is delivered through a firmware update; no source level code diff is available, as UniFi OS is closed source.
For CVE-2026-33000 specifically, the affected product is narrowly scoped:
- UniFi OS Server: Version 5.0.6 and earlier is vulnerable.
- Fix: Update to UniFi OS Server version 5.0.8 or later.
While CVE-2026-33000 itself only affects UniFi OS Server, the four companion CVEs in Bulletin 064 affect a much broader range of UniFi OS hardware, including UDM, UDM Pro, UDR, Cloud Keys, NVRs, and others. Those companion CVEs require updates to:
| Device Family | Minimum Patched Version |
|---|---|
| Most gateways and consoles | 5.1.12 |
| NAS devices | 5.1.10 |
| UDM Beast | 5.1.11 |
Administrators running any of these device families should apply all relevant updates from the bulletin simultaneously, as the fixes for the broader set of issues are bundled into these releases.
An interesting detail from community discussion: the patched firmware appears to include a startup time integrity check. A MongoDB query runs during boot that searches for URL encoded path traversal patterns (e.g., %2F) within stored admin parameters, likely to detect signs of prior exploitation. Users who observed nreturned:0 in their mongod.log output after updating can treat that as a positive indicator that no malicious payloads were persisted in their configuration database.
Community reports also indicate that updating to UniFi OS 5.1.12 automatically updates bundled applications (Network, Protect) to their latest versions, a behavior introduced in version 5.1.11. This ensures comprehensive patching but may override administrator preferences for application version control.
Ubiquiti published direct links to the patched firmware releases for each device family in the advisory.
Compensating Controls
For organizations unable to immediately apply firmware updates:
- Network segmentation: Isolate UniFi OS devices on dedicated management VLANs. Restrict access to the management interface to trusted internal IP ranges only. The UniFi Network Application should never be directly exposed to the internet.
- Access control hardening: Review and minimize the number of administrative accounts. Enforce strong, unique passwords for all privileged users.
- VPN requirement: Require VPN access for any remote management of UniFi OS consoles. Block direct internet access to management interfaces.
- Monitoring: Watch for unusual administrative actions and unexpected command execution on UniFi OS devices during the patching window.
Version Visibility Challenge
A notable difficulty for defenders: the UniFi Network Application does not expose its version number externally, and build hashes in static asset paths vary per version with no public mapping readily available. This makes it difficult to distinguish between vulnerable and patched instances from external observation alone. Organizations should verify patch status through the internal UniFi management dashboard rather than relying on external scanning.
Affected Systems and Versions
Based on the advisory and patch information:
- UniFi OS Server: Version 5.0.6 and earlier is confirmed vulnerable to CVE-2026-33000. The fix is version 5.0.8 or later.
The broader Bulletin 064 also affects UniFi OS hardware consoles (UDM series, UCG series, UNVR devices, Cloud Keys, and others) for the companion CVEs. Specific CPE entries have not yet been published on the NVD.
Vendor Security History
Ubiquiti has a documented pattern of input validation vulnerabilities across the UniFi product ecosystem. The recurrence of CWE-20 across multiple product lines and years is notable:
| Bulletin | Date | Vulnerability Type | Severity |
|---|---|---|---|
| Bulletin 038 | March 2024 | Command Injection in Self-Hosted UniFi Network Server | Critical |
| Bulletin 051 | July 2025 | Improper Input Validation in UniFi Access devices | Critical |
| Bulletin 062 | March 2026 | Improper Input Validation in UniFi Network Server | Unauthorized Account Access |
| Bulletin 063 | March 2026 | Path Traversal in UniFi Network Application (CVE-2026-22557) | CVSS 10.0 |
| Bulletin 063 | March 2026 | NoSQL Injection in UniFi Network Application (CVE-2026-22558) | Injection |
| Bulletin 064 | May 2026 | Command Injection + RCE + Access Control (5 CVEs) | CVSS 9.1 to 10.0 |
Additional vulnerabilities outside the bulletin sequence include CVE-2026-22563, a command injection vulnerability in UniFi Play PowerAmp and Audio Port, further demonstrating the breadth of input validation weaknesses across the product line.
The consistent reliance on external researchers via HackerOne for vulnerability discovery, rather than internal security testing catching these issues before release, suggests that Ubiquiti's internal security assurance processes may be under resourced relative to the pace of feature development.
References
- NVD: CVE-2026-33000
- Ubiquiti Security Advisory Bulletin 064
- Security Advisory Bulletin 064: Community Discussion
- Reddit PSA: Update UniFi OS Now
- Reddit: Security Advisory Bulletin 064 Discussion
- CSA Singapore Alert AL-2026-025: Multiple Vulnerabilities in Ubiquiti UniFi
- Censys Advisory: CVE-2026-22557 UniFi Path Traversal
- CyCognito: Emerging Threat on Ubiquiti UniFi
- Truesec: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- MITRE CWE-20: Improper Input Validation
- Ubiquiti Security Advisory Bulletin 038
- Ubiquiti Security Advisory Bulletin 051
- Ubiquiti Security Advisory Bulletin 062
- CISA Known Exploited Vulnerabilities Catalog



