Introduction
A critical command injection flaw in Ubiquiti's UID Enterprise Agent allows any low-privilege user with network access to execute arbitrary commands on the host device, with the potential to compromise physical access control systems, VPN infrastructure, and single sign-on tokens in a single stroke. Disclosed as part of Security Advisory Bulletin 065 alongside two other CVSS 9.9 vulnerabilities, CVE-2026-47367 represents the latest in a pattern of severe input validation failures across Ubiquiti's product line in 2026.
The UID Enterprise Agent is a software component deployed on Ubiquiti UniFi Consoles that bridges on-premises network hardware with the cloud-based UID Enterprise Manager. It forms the connective layer of Ubiquiti's identity and access management ecosystem, enforcing centrally managed policies for door access, WiFi authentication, VPN connectivity, and SaaS SSO. Given Ubiquiti's $3+ billion trailing twelve-month revenue and expanding enterprise footprint, the agent sits at a critical junction between IT and physical security infrastructure in a growing number of organizations.
Technical Information
Root Cause: CWE-20 to CWE-77 Chain
CVE-2026-47367 is classified under CWE-20: Improper Input Validation. Per MITRE's definition, CWE-20 occurs when "the product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly." In this case, the UID Enterprise Agent fails to properly validate input, allowing an attacker to inject operating system commands that execute on the host device.
CWE-20 is a root cause weakness that frequently leads to child weaknesses such as CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection'). The attack chain for CVE-2026-47367 follows this parent-to-child pattern: improper input validation at the application layer permits special characters or command sequences to pass through unsanitized, resulting in command injection at the operating system layer.
CVSS Vector Breakdown
The full CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, yielding a base score of 9.9 Critical:
| Parameter | Value | Significance |
|---|---|---|
| Attack Vector | Network | Remotely exploitable |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Standard user account sufficient |
| User Interaction | None | No victim action needed |
| Scope | Changed | Impact extends beyond the vulnerable component |
| Confidentiality | High | Full information disclosure possible |
| Integrity | High | Complete system modification possible |
| Availability | High | Full denial of service possible |
The Scope: Changed designation is particularly significant. It means the vulnerability in the UID Enterprise Agent can break out and impact resources beyond the agent itself, potentially affecting the entire UniFi Console and the systems it manages.
Attack Vector Analysis
The "low privileges" requirement is a notable escalation from the prior Security Advisory Bulletin 064, which required "high privileges" for its UniFi OS vulnerabilities. This means any low-privilege user on the network, such as a standard employee account, could potentially exploit the flaw, vastly expanding the pool of potential attackers compared to the previous bulletin.
A plausible exploitation path involves an attacker who has gained low-privilege network access, either through a compromised user account, lateral movement from another breach, or presence on the same network segment. The attacker sends crafted input to the UID Enterprise Agent containing command injection payloads. Because the agent fails to properly validate this input, the injected commands execute with the privileges of the agent process on the host device. Given that the agent runs on UniFi Consoles, which often operate with elevated system privileges, command injection could yield control over the entire console.
The UID Enterprise Agent's Role and Blast Radius
The UID Enterprise Agent authenticates to the cloud manager using a Security Token that requires MFA for generation and is time-limited to a 10-minute validity window. While this token mechanism protects the agent-to-cloud channel, CVE-2026-47367 exploits a flaw in how the agent processes input locally on the host device, bypassing the cloud-channel authentication layer entirely. This is a critical architectural distinction: the agent's cloud-facing security controls are robust, but the command injection operates at the local host level, rendering those protections irrelevant.
The agent manages door access, WiFi, VPN, and SSO policies. A successful command injection could therefore grant an attacker control over physical access systems, VPN credentials, and single sign-on tokens, providing a pivot point into the broader enterprise environment that spans both IT and physical security domains.
Chaining Potential with Bulletin 065 Companion CVEs
Security Advisory Bulletin 065 contains three CVSS 9.9 vulnerabilities: command injection (this CVE), privilege escalation, and path traversal. Bishop Fox researchers previously demonstrated that chaining three UniFi OS vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) enables unauthenticated root RCE on UniFi consoles. By analogy, an attacker could chain CVE-2026-47367's low-privilege command injection with the privilege escalation and path traversal flaws in the same bulletin to escalate from low-privilege network access to full system compromise without requiring high-privilege credentials. This makes partial remediation (patching only one of the three) an insufficient response.
Patch Information
Ubiquiti released UID Enterprise Agent version 1.61.4 on June 10, 2026, as part of Security Advisory Bulletin 065. The vulnerability affects UID Enterprise Agent version 1.61.3 and earlier. The fix was coordinated through Ubiquiti's HackerOne bug bounty program, with the vulnerability originally reported by security researcher Abdulaziz Almadhi of Catchify Security.
The release notes for version 1.61.4 are characteristically terse, listing "Improved system performance" under Improvements and a single bugfix entry confirming it "Fixed the security issues mentioned in Security Advisory Bulletin 065." No granular code-level diff or implementation details have been publicly shared, consistent with Ubiquiti's closed-source firmware update model. The exact nature of the input validation hardening, such as which input vectors were sanitized or what command injection payloads were blocked, is not disclosed in public documentation.
The patch presumably introduces proper input sanitization to the affected code path in the UID Enterprise Agent, closing off the command injection surface that enabled the scope change reflected in the CVSS vector.
Update paths:
- UID Enterprise Manager interface: Direct update from the cloud management console.
- UniFi Site Manager: Manual update or by enabling Auto Update for automated patch deployment.
Organizations should also upgrade UniFi OS to version 5.1.15 or later to address the companion privilege escalation and path traversal vulnerabilities in Bulletin 065. Patching only the agent without updating UniFi OS leaves the other two CVSS 9.9 flaws unaddressed, enabling potential chaining attacks.
Post-patch verification steps:
- Confirm the UID Enterprise Agent version is 1.61.4 or later via the UID Enterprise Manager or UniFi Site Manager.
- Confirm UniFi OS firmware is 5.1.15 or later on all consoles.
- Check for unauthorized "Super Admin" accounts or unexpected admin invitations, which community reports indicate as indicators of compromise following recent Ubiquiti vulnerabilities.
- Review audit logs for suspicious command execution patterns on consoles hosting the UID Enterprise Agent.
Affected Systems and Versions
| Component | Vulnerable Versions | Fixed Version |
|---|---|---|
| UID Enterprise Agent | 1.61.3 and earlier | 1.61.4 |
| UniFi OS (companion CVEs) | Prior to 5.1.15 | 5.1.15 |
The UID Enterprise Agent runs on Ubiquiti UniFi Consoles. Any deployment where the agent is installed and accessible over the network is potentially vulnerable. The low-privilege requirement means environments where any authenticated user can reach the agent's network interface are at risk.
Vendor Security History
Ubiquiti's 2026 security track record reveals a concerning pattern of critical vulnerabilities across consecutive security bulletins:
| Advisory | Date | Key CVEs | Severity | Products | Privilege Requirement |
|---|---|---|---|---|---|
| Bulletin 062 | March 2026 | CVE-2026-22557, CVE-2026-22558 | Critical/High | UniFi Network Application | Unauthenticated (22557), Authenticated (22558) |
| Bulletin 064 | May 2026 | 5 CVEs | Critical | UniFi OS | High privileges |
| Bulletin 065 | June 2026 | CVE-2026-47367 + 2 others | 9.9 Critical | UID Enterprise Agent, UniFi OS | Low privileges |
The recurrence of CWE-20 (Improper Input Validation) and related weaknesses (CWE-77, CWE-1287) across three consecutive bulletins indicates a systemic issue rather than isolated coding errors. Historical vulnerabilities extend further back as well: CVE-2019-25651 exposed an information disclosure flaw in the UniFi Network Controller using weak AES-CBC encryption.
Bishop Fox researchers independently discovered and chained CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 for unauthenticated root RCE on UniFi OS Server versions 5.0.6 and earlier, demonstrating the practical exploitability of UniFi OS flaws when combined.
The Cyber Security Agency of Singapore issued formal alert AL-2026-025 covering Ubiquiti UniFi Network Application vulnerabilities, signaling international governmental concern about the vendor's security posture.
Ubiquiti maintains a HackerOne bug bounty program and issues timely advisories with specific patch versions. However, the frequency and severity of disclosures raises questions about the thoroughness of pre-release security testing, particularly around input validation across the product stack. Organizations should anticipate additional CWE-20-derived vulnerabilities in future disclosures and plan their Ubiquiti deployments with defense-in-depth controls that do not rely solely on patching.
Threat Actor Targeting
Ubiquiti devices have a documented history of active exploitation by both state-sponsored and criminal threat actors. According to Truesec, "Ubiquiti has explicitly warned that both state-sponsored threat actors and cybercriminal groups actively target its devices for botnet-building and operational obfuscation."
The most prominent confirmed exploitation involves Russia's GRU military intelligence service. The FBI dismantled a botnet composed of compromised Ubiquiti Edge OS routers operated by the GRU. Following the release of Bulletin 065, Reddit users on r/UNIFI reported unauthorized "Super Admin" account invitations and compromises through WAN-facing interfaces. While these reports are anecdotal, they are consistent with the attack pattern enabled by CVE-2026-47367 and its companion CVEs.
| Threat Actor Type | Confirmed Activity | Targeting Rationale |
|---|---|---|
| Russia GRU (APT) | Botnet of compromised Edge OS routers disrupted by FBI | Relay/proxy infrastructure, persistent access |
| Cybercriminal Groups | Active scanning post-disclosure; botnet recruitment | IoT compromise for DDoS, crypto mining, proxy networks |
| Unknown Actors | Unauthorized Super Admin invitations; WAN compromises | Full network takeover, data exfiltration |
As of June 12, 2026, there is no confirmed evidence of CVE-2026-47367 being exploited in the wild specifically. However, the vulnerability was reported through HackerOne (responsible disclosure), meaning the window between patch availability and public exploit code emergence is typically narrow. The pattern of rapid post-disclosure targeting of Ubiquiti vulnerabilities suggests that delay in patching increases exposure disproportionately.
References
- NVD: CVE-2026-47367
- Ubiquiti Security Advisory Bulletin 065
- UID Enterprise Agent 1.61.4 Release Notes
- Security Online: UniFi OS Vulnerabilities CVSS 9.9
- Ubiquiti Security Advisory Bulletin 062
- Ubiquiti Security Advisory Bulletin 064
- Bulletin 065 Community Discussion
- Managing Your UniFi Consoles and UID Enterprise Agent
- UniFi Identity Product Page
- MITRE CWE-20: Improper Input Validation
- MITRE CWE-77: Command Injection
- Truesec: Vulnerabilities in Ubiquiti UniFi Network Application
- BleepingComputer: Critical UniFi OS Bug Enables Root Without Authentication
- Cyber Security Agency of Singapore Alert AL-2026-025
- Censys Advisory: CVE-2026-22557
- Reddit r/UNIFI: PSA Security Advisory Bulletin 065
- Ubiquiti Community: Exploitation in the Wild of UniFi Devices
- OpenCVE: Ubiquiti CVEs



