ZeroPath at Black Hat USA 2026

UniFi OS Command Injection via CVE-2026-33000: Brief Summary of a Critical Input Validation Flaw

A brief summary of CVE-2026-33000, a CVSS 9.1 command injection vulnerability in Ubiquiti UniFi OS Server caused by improper input validation. Includes patch information, affected versions, and context on the broader Bulletin 064 disclosure.

CVE Analysis

9 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-21

UniFi OS Command Injection via CVE-2026-33000: Brief Summary of a Critical Input Validation Flaw
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Ubiquiti's latest security advisory quietly dropped five critical vulnerabilities at once, and while three of them scored a perfect CVSS 10.0, the one that should concern defenders thinking about post compromise persistence is CVE-2026-33000. This command injection flaw in UniFi OS Server, carrying a CVSS score of 9.1, allows an attacker with administrative privileges and network access to execute arbitrary operating system commands on the device, potentially achieving root level control over network infrastructure that manages gateways, switches, access points, and surveillance cameras.

The vulnerability was reported by the researcher V3rlust through Ubiquiti's HackerOne bug bounty program and disclosed on May 21, 2026, as part of Security Advisory Bulletin 064. With Censys observing 87,196 exposed UniFi Network Application hosts in recent scans, the potential blast radius of this and its companion vulnerabilities is substantial.

Technical Information

Root Cause: CWE-20 Improper Input Validation

CVE-2026-33000 is rooted in CWE-20 (Improper Input Validation), which MITRE defines as occurring when a product "does not validate or incorrectly validates input that can affect the control flow or data flow of a program." In this case, the improper validation manifests as a classic OS command injection: user supplied input reaches a system level command interpreter without adequate sanitization.

The CVSS v3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. Several elements of this vector are worth unpacking:

  • Attack Vector (AV:N): The vulnerability is exploitable over the network, meaning any attacker who can reach the UniFi OS management interface can attempt exploitation.
  • Attack Complexity (AC:L): No special conditions or race conditions are required. The injection is straightforward once the attacker has access.
  • Privileges Required (PR:H): The attacker must hold elevated, administrative level privileges on the UniFi OS device or within the UniFi management ecosystem.
  • Scope (S:C): The scope is "Changed," meaning successful exploitation impacts resources beyond the vulnerable component itself. This is consistent with command injection on a network gateway or controller, where compromise can cascade to managed devices and network traffic.
  • Impact (C:H/I:H/A:H): All three impact dimensions are rated High, reflecting the potential for full confidentiality, integrity, and availability compromise.

Attack Flow

Based on the advisory details and the vulnerability classification, the exploitation sequence follows this pattern:

  1. Prerequisite: Obtain privileged access. The attacker must first acquire administrative credentials for the UniFi OS device. This could occur through credential theft, phishing, brute force against weak passwords, or by chaining one of the three unauthenticated RCE vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) disclosed in the same bulletin.

  2. Identify the vulnerable input. The attacker interacts with a management interface or API endpoint on the UniFi OS Server that accepts user input. The specific endpoint has not been publicly disclosed by Ubiquiti, consistent with their practice of limiting technical detail in advisories.

  3. Inject OS commands. The attacker crafts input containing shell metacharacters or command substitution syntax (such as semicolons, pipes, backticks, or $(...) sequences) that the application fails to sanitize or reject.

  4. Command execution. The unsanitized input is passed to a system level command execution function. The injected commands execute with the privileges of the UniFi OS process, which on these devices typically runs with root or equivalent permissions.

  5. Post exploitation. With command execution on the device, the attacker can intercept network traffic, manipulate DNS settings, pivot laterally across managed networks, exfiltrate configuration data (including credentials for managed devices), or establish persistent backdoor access.

The Bulletin 064 Context: Chaining Risk

CVE-2026-33000 does not exist in isolation. Bulletin 064 addresses five vulnerabilities simultaneously:

CVE IDCVSS ScoreDiscovererKey Characteristic
CVE-2026-330009.1V3rlustCommand injection, requires high privileges
CVE-2026-3490810.0Not specifiedUnauthenticated RCE
CVE-2026-3490910.0Not specifiedUnauthenticated RCE
CVE-2026-3491010.0John CarrollUnauthenticated RCE
CVE-2026-349117.7Hakai SecurityAccess control / path traversal

The co-occurrence of authenticated and unauthenticated flaws in the same firmware version creates a compounding risk. An attacker could use one of the three unauthenticated RCE vulnerabilities to gain initial access, then leverage CVE-2026-33000 for deeper persistence or privilege escalation on the compromised device. The "high privileges required" constraint on CVE-2026-33000 becomes far less protective when the same firmware contains three separate paths to unauthenticated remote code execution.

NVD Enrichment Status

As of the publication date, the NVD record for CVE-2026-33000 has not yet been fully enriched. CPE entries, version specific affected product mappings, and the full CVSS vector have not been published on the NVD page. The sole reference listed is the Ubiquiti Security Advisory Bulletin 064 URL, sourced from HackerOne.

Patch Information

Ubiquiti has released patched firmware as part of Security Advisory Bulletin 064, published on May 21, 2026. The fix is delivered through a firmware update; no source level code diff is available, as UniFi OS is closed source.

For CVE-2026-33000 specifically, the affected product is narrowly scoped:

  • UniFi OS Server: Version 5.0.6 and earlier is vulnerable.
  • Fix: Update to UniFi OS Server version 5.0.8 or later.

While CVE-2026-33000 itself only affects UniFi OS Server, the four companion CVEs in Bulletin 064 affect a much broader range of UniFi OS hardware, including UDM, UDM Pro, UDR, Cloud Keys, NVRs, and others. Those companion CVEs require updates to:

Device FamilyMinimum Patched Version
Most gateways and consoles5.1.12
NAS devices5.1.10
UDM Beast5.1.11

Administrators running any of these device families should apply all relevant updates from the bulletin simultaneously, as the fixes for the broader set of issues are bundled into these releases.

An interesting detail from community discussion: the patched firmware appears to include a startup time integrity check. A MongoDB query runs during boot that searches for URL encoded path traversal patterns (e.g., %2F) within stored admin parameters, likely to detect signs of prior exploitation. Users who observed nreturned:0 in their mongod.log output after updating can treat that as a positive indicator that no malicious payloads were persisted in their configuration database.

Community reports also indicate that updating to UniFi OS 5.1.12 automatically updates bundled applications (Network, Protect) to their latest versions, a behavior introduced in version 5.1.11. This ensures comprehensive patching but may override administrator preferences for application version control.

Ubiquiti published direct links to the patched firmware releases for each device family in the advisory.

Compensating Controls

For organizations unable to immediately apply firmware updates:

  1. Network segmentation: Isolate UniFi OS devices on dedicated management VLANs. Restrict access to the management interface to trusted internal IP ranges only. The UniFi Network Application should never be directly exposed to the internet.
  2. Access control hardening: Review and minimize the number of administrative accounts. Enforce strong, unique passwords for all privileged users.
  3. VPN requirement: Require VPN access for any remote management of UniFi OS consoles. Block direct internet access to management interfaces.
  4. Monitoring: Watch for unusual administrative actions and unexpected command execution on UniFi OS devices during the patching window.

Version Visibility Challenge

A notable difficulty for defenders: the UniFi Network Application does not expose its version number externally, and build hashes in static asset paths vary per version with no public mapping readily available. This makes it difficult to distinguish between vulnerable and patched instances from external observation alone. Organizations should verify patch status through the internal UniFi management dashboard rather than relying on external scanning.

Affected Systems and Versions

Based on the advisory and patch information:

  • UniFi OS Server: Version 5.0.6 and earlier is confirmed vulnerable to CVE-2026-33000. The fix is version 5.0.8 or later.

The broader Bulletin 064 also affects UniFi OS hardware consoles (UDM series, UCG series, UNVR devices, Cloud Keys, and others) for the companion CVEs. Specific CPE entries have not yet been published on the NVD.

Vendor Security History

Ubiquiti has a documented pattern of input validation vulnerabilities across the UniFi product ecosystem. The recurrence of CWE-20 across multiple product lines and years is notable:

BulletinDateVulnerability TypeSeverity
Bulletin 038March 2024Command Injection in Self-Hosted UniFi Network ServerCritical
Bulletin 051July 2025Improper Input Validation in UniFi Access devicesCritical
Bulletin 062March 2026Improper Input Validation in UniFi Network ServerUnauthorized Account Access
Bulletin 063March 2026Path Traversal in UniFi Network Application (CVE-2026-22557)CVSS 10.0
Bulletin 063March 2026NoSQL Injection in UniFi Network Application (CVE-2026-22558)Injection
Bulletin 064May 2026Command Injection + RCE + Access Control (5 CVEs)CVSS 9.1 to 10.0

Additional vulnerabilities outside the bulletin sequence include CVE-2026-22563, a command injection vulnerability in UniFi Play PowerAmp and Audio Port, further demonstrating the breadth of input validation weaknesses across the product line.

The consistent reliance on external researchers via HackerOne for vulnerability discovery, rather than internal security testing catching these issues before release, suggests that Ubiquiti's internal security assurance processes may be under resourced relative to the pace of feature development.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization