ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-47369 UniFi OS Privilege Escalation via Improper Input Validation (CVSS 9.9)

A short review of CVE-2026-47369, a critical CVSS 9.9 privilege escalation flaw in Ubiquiti UniFi OS that allows low privileged network attackers to escalate privileges on affected devices. Includes patch details, affected device matrix, and chaining context with sibling vulnerabilities from Security Advisory Bulletin 065.

CVE Analysis

10 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: CVE-2026-47369 UniFi OS Privilege Escalation via Improper Input Validation (CVSS 9.9)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A low privileged user on the same network as a Ubiquiti UniFi OS device can exploit an input validation flaw to escalate their privileges on the appliance, and a companion path traversal vulnerability can be chained to remove even that low privilege requirement entirely. CVE-2026-47369, carrying a CVSS 9.9 score, is one of three critical vulnerabilities disclosed in Ubiquiti's Security Advisory Bulletin 065, continuing a pattern of quarterly critical advisories against the UniFi OS platform that began in March 2026.

Ubiquiti's networking equipment is widely deployed across small and mid sized businesses, ISPs, managed service providers, and a large enthusiast community, with the company generating $2.574B in annual revenue in 2025. The broad install base and the appliance's typical placement at the network edge make any critical UniFi OS vulnerability a high priority patching event.

Technical Information

Root Cause: CWE-20 Improper Input Validation

CVE-2026-47369 is classified under CWE-20 (Improper Input Validation). The NVD description states: "A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such UniFi OS devices or instances."

The full CVSS 3.1 vector string is AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, which breaks down as follows:

ParameterValueImplication
Attack VectorNetworkExploitable over the network
Attack ComplexityLowNo special conditions required
Privileges RequiredLowAny authenticated low level user suffices
User InteractionNoneNo victim action needed
ScopeChangedImpact extends beyond the vulnerable component
ConfidentialityHighFull read access to the system
IntegrityHighFull write access to the system
AvailabilityHighComplete denial of service possible

The "Scope: Changed" designation is particularly significant. It indicates that successful exploitation allows the attacker to affect resources beyond the security scope of the vulnerable component itself, consistent with a privilege escalation that grants control over the entire UniFi OS device or instance.

What We Know About the Attack Flow

The specific input validation flaw mechanism, including which input field, API endpoint, or protocol is vulnerable, has not been publicly disclosed by Ubiquiti or the discovering researcher. What we can establish from the advisory and surrounding context:

  1. Entry point: An attacker needs network access to the UniFi OS device and a low privilege authenticated session. In many UniFi deployments, this could be any user with a basic account on the management interface.

  2. Exploitation: The attacker submits crafted input that the UniFi OS fails to properly validate, triggering a privilege escalation. The low attack complexity and absence of user interaction requirements indicate this is a straightforward exploitation path.

  3. Outcome: The attacker gains elevated privileges on the UniFi OS device. The exact privilege level attainable (root, admin, or an intermediate role) is not specified in the advisory, but the CVSS impact scores of High across all three categories suggest full system compromise is achievable.

Chaining Context: The Real Threat Multiplier

The advisory for Bulletin 065 contains a detail that significantly changes the risk calculus. CVE-2026-47368, a path traversal vulnerability also patched in this bulletin, carries an explicit note that it "can be chained with other vulnerabilities to eliminate the requirement for low-privileged access." This means the combined chain of CVE-2026-47368 plus CVE-2026-47369 could be exploitable by a completely unauthenticated network attacker, removing the one meaningful barrier to exploitation.

Bulletin 065 also includes CVE-2026-47367, a command injection flaw in the UID Enterprise Agent scoring CVSS 9.9. The advisory distinguishes CVE-2026-47369 (privilege escalation) from its sibling CVE-2026-47370, which shares the same improper input validation root cause but enables command injection instead. Together, these four CVEs present a rich attack surface for chaining.

This chaining concern is not theoretical. BleepingComputer previously reported that the three vulnerabilities from Bulletin 064 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, all CVSS 10.0) were demonstrated as chainable to achieve unauthenticated remote code execution with root privileges on UniFi OS. The same pattern of multi-CVE chaining is plausible for Bulletin 065 flaws, though it has not been publicly demonstrated as of the publication date.

Patch Information

Ubiquiti addressed CVE-2026-47369 through a firmware level patch disclosed in Security Advisory Bulletin 065, published on June 10, 2026. Because UniFi OS is proprietary closed source firmware, there are no public source code diffs or commit level changes to inspect. The fix is delivered exclusively through official firmware updates.

The fixed versions vary by device family:

Device FamilyExamplesFixed Version
Gateways and ConsolesUDM, UDM Pro, UDM SE, UDM Pro Max, UDM Beast, EFG, UDW, UDR, UDR7, UDR 5G, Express 7, UCG Ultra, UCG Max, UCG Industrial, UCG FiberUniFi OS 5.1.15 or later
Cloud KeysUCK, UCKP, UCK EnterpriseUniFi OS 5.1.15 or later
NVR DevicesUNVR, UNVR Pro, UNVR Instant, ENVR, ENVR Core, UNVR G2, UNVR G2 ProUniFi OS 5.1.15 or later
UniFi OS ServerServer installationsVersion 5.1.15 or later
NAS DevicesUNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8Version 5.1.16 or later
Express AppliancesExpress lineVersion 4.0.15 or later

Note that the UNAS line requires version 5.1.16 (not 5.1.15), which bundles UniFi Drive 4.2.2. All other product lines received 5.1.15 builds simultaneously.

Critically, applying this single firmware update addresses the full chaining risk: both CVE-2026-47369 and the companion CVE-2026-47368 (the path traversal that eliminates the low privilege requirement) are resolved by the same update. Organizations should not treat these as separate patching events.

The Canadian Centre for Cyber Security published advisory AV26-589 on June 11, 2026, confirming the availability of these vendor patches.

The vulnerability was credited to security researcher Brandon Rossi (also known as @0xConda), who reported it through Ubiquiti's HackerOne coordinated vulnerability disclosure program.

Affected Systems and Versions

Based on the advisory, the following device families running UniFi OS versions prior to the patched releases are affected:

Gateway and Console Devices (vulnerable below UniFi OS 5.1.15): UDM, UDM Pro, UDM SE, UDM Pro Max, UDM Beast, EFG, UDW, UDR, UDR7, UDR 5G, Express 7, UCG Ultra, UCG Max, UCG Industrial, UCG Fiber

Cloud Key Devices (vulnerable below UniFi OS 5.1.15): UCK, UCKP, UCK Enterprise

NVR Devices (vulnerable below UniFi OS 5.1.15): UNVR, UNVR Pro, UNVR Instant, ENVR, ENVR Core, UNVR G2, UNVR G2 Pro

UniFi OS Server (vulnerable at version 5.0.8 and earlier)

NAS Devices (vulnerable below version 5.1.16): UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8

Express Appliances (vulnerable below version 4.0.15)

The UID Enterprise Agent is also affected by a separate vulnerability in the same bulletin (CVE-2026-47367) and requires upgrade to version 1.61.4 or later.

Vendor Security History

Ubiquiti's security track record in 2026 reveals a concentrated pattern of critical disclosures:

DateEventSeverity
January 2021Major data breach via third party cloud provider; whistleblower accused Ubiquiti of downplaying the scopeCritical
March 2026Security Advisory Bulletin 062: Multiple vulnerabilities in UniFi Network Server (self hosted)High
March 2026TrueSec disclosed CVE-2026-22557 (path traversal, CVSS 10.0) and CVE-2026-22558 (NoSQL injection privilege escalation) in UniFi Network ApplicationCritical
May 2026Security Advisory Bulletin 064: Three CVSS 10.0 UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) chainable for unauthenticated root RCECritical
June 2026Security Advisory Bulletin 065: Three CVSS 9.9 flaws (CVE-2026-47367, CVE-2026-47369, CVE-2026-47370) in UniFi OS and UID Enterprise AgentCritical

Three critical bulletins in a single quarter, with recurring themes of improper input validation and inadequate access control, suggests systemic weaknesses in the UniFi OS platform layer rather than isolated bugs. TrueSec has also noted that Ubiquiti devices have been increasingly targeted by state sponsored groups for botnet operations against U.S. and allied networks, adding operational urgency to the patching cadence.

Organizations running Ubiquiti infrastructure should establish a standing rapid patching workflow for UniFi OS devices. Based on the 2026 cadence, critical advisories are arriving approximately monthly.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization