Introduction
A low privileged user on the network can inject arbitrary commands into Ubiquiti UniFi OS devices and take complete control of the host, spanning every Cloud Gateway, Dream Machine, UNVR, and self hosted UniFi OS Server in the product line. CVE-2026-47370 carries a CVSS score of 9.9 and is one of three near maximum severity flaws disclosed in Ubiquiti's Security Advisory Bulletin 065, arriving just three weeks after Bulletin 064 delivered three perfect 10.0 CVSS vulnerabilities in the same platform.
Technical Information
Root Cause: CWE-20 Improper Input Validation
CVE-2026-47370 is classified under CWE-20 (Improper Input Validation). The UniFi OS fails to properly validate or sanitize certain inputs before incorporating them into a system command execution context. This allows an attacker to inject and execute arbitrary operating system commands on the underlying device.
The NVD description states: "A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection within such UniFi OS devices or instances."
Attack Prerequisites
The exploitation requirements are notably minimal:
| Prerequisite | Detail |
|---|---|
| Network access | The attacker must be able to reach the UniFi OS device over the network |
| Low privileges | Only low level privileges are required; administrative access is not needed |
This low privilege threshold is a meaningful distinction from the related CVE-2026-34910 in Bulletin 064, which required high privileges for its command injection. That earlier flaw was still devastating because Bishop Fox demonstrated it could be chained with CVE-2026-34908 (an authentication bypass) to eliminate the privilege requirement entirely. CVE-2026-47370 starts from a lower baseline, meaning it may be directly exploitable without needing an authentication bypass precursor.
Impact: Full Host Takeover
SecurityOnline characterizes the impact of CVE-2026-47370 as enabling an attacker to "completely hijack the host device, granting them absolute control over network operations." The CVSS 9.9 score reflects severe impacts across confidentiality, integrity, and availability. On a compromised UniFi OS device, this means control over routing, firewall rules, VPN configurations, and potentially lateral access to the entire managed network.
Chaining Potential Within Bulletin 065
CVE-2026-47370 does not exist in isolation. Bulletin 065 addresses five vulnerabilities across UniFi OS and the UID Enterprise Agent:
| CVE | Type | CVSS | Affected Product | Patch Version |
|---|---|---|---|---|
| CVE-2026-47367 | Command Injection | 9.9 | UID Enterprise Agent | 1.61.4 |
| CVE-2026-47368 | Path Traversal | High | UniFi OS | 5.1.15 |
| CVE-2026-47369 | Privilege Escalation | 9.9 | UniFi OS | 5.1.15 |
| CVE-2026-47370 | Command Injection / Host Hijack | 9.9 | UniFi OS | 5.1.15 |
| CVE-2026-48610 | Improper Access Control | Not specified | UniFi OS | 5.1.15 |
The combination of command injection, privilege escalation, path traversal, and improper access control within a single advisory raises serious chaining concerns. CVE-2026-47370 could potentially be combined with CVE-2026-47368 (path traversal) or CVE-2026-47369 (privilege escalation) to amplify impact beyond what any single flaw achieves alone.
Lessons from Bulletin 064: Chaining Is Not Theoretical
Bishop Fox security researcher John Sim published a detailed technical analysis of the Bulletin 064 vulnerabilities demonstrating that CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 could be chained into a single HTTP request that achieved unauthenticated root shell access. The chain worked as follows:
- Authentication bypass (CVE-2026-34908): Nginx's authentication gateway compared the raw URI against a public route prefix while routing based on a normalized URI, allowing bypass via encoded traversal sequences.
- Path traversal (CVE-2026-34909): The traversal reached internal endpoints not intended to be externally accessible.
- Command injection (CVE-2026-34910): The
package-updateendpoint interpolated an attacker supplied package name verbatim into a shell command via ansh -cwrapper without sanitization.
While the specific code path for CVE-2026-47370 has not been publicly detailed, the structural parallels with Bulletin 064's command injection (unsanitized input reaching a system command interface in the same operating system) suggest a similar pattern. The specific component, whether it is the same package-update / ulp-go component or a different one, remains unknown.
Post Exploitation Considerations
Bishop Fox's analysis of Bulletin 064 revealed that root access on UniFi OS exposes the JWT signing key stored in jwt.yaml. Because UniFi uses symmetric HS256 signing without algorithm pinning, an attacker with this key can forge valid admin session tokens that survive patching. This finding, while specific to Bulletin 064, is directly relevant: any UniFi OS device compromised via CVE-2026-47370 before patching should be assumed to have had its cryptographic material exfiltrated.
Patch Information
Ubiquiti has addressed CVE-2026-47370 through firmware updates documented in Security Advisory Bulletin 065, published on June 10, 2026. The vulnerability was credited to security researcher Brandon Rossi and reported through HackerOne.
The patch introduces improved input validation to neutralize the command injection attack vector. Because this vulnerability resides in Ubiquiti's proprietary UniFi OS firmware, the fix is delivered as closed source firmware updates with no source level code diffs or commits publicly available.
The fixed firmware versions differ by device family, which is important because Ubiquiti ships distinct firmware builds per hardware line:
| Device Family | Examples | Fixed Version | Vulnerable Versions |
|---|---|---|---|
| Most UniFi OS devices | UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, UDR 5G, Express 7, UCK, UCKP, UCK Enterprise, UNVR, UNVR Pro, UNVR Instant, ENVR, ENVR Core, UNVR G2, UNVR G2 Pro, UCG Ultra, UCG Max, UCG Industrial, UCG Fiber | UniFi OS 5.1.15 or later | 5.1.12 and earlier |
| UDM Beast | UDM Beast | UniFi OS 5.1.15 or later | 5.1.11 and earlier |
| UniFi OS Server | Self hosted | Version 5.1.15 or later | 5.0.8 and earlier |
| UNAS devices | UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8 | UniFi OS 5.1.16 or later | 5.1.10 and earlier |
| Express | Express | UniFi OS 4.0.15 or later | 4.0.14 and earlier |
Note the UNAS line requires version 5.1.16 (not 5.1.15), and the Express line follows its own versioning scheme (4.x rather than 5.x). These differences stem from divergent firmware build pipelines across hardware platforms.
Ubiquiti has published individual firmware release pages for each affected product family, all linked from Bulletin 065. Updates are available through the standard Ubiquiti firmware update channels.
Post patch actions for previously exposed systems: Any system that was network accessible and unpatched before the Bulletin 065 release should be treated as potentially compromised. Given the demonstrated ability (from Bulletin 064 research) of attackers to exfiltrate JWT signing keys and forge persistent admin sessions from compromised UniFi OS devices, organizations should perform full credential rotation, session invalidation, and forensic review after applying the update.
Additionally, the UID Enterprise Agent should be updated to version 1.61.4 or later to address CVE-2026-47367. Applying only the UniFi OS update without updating the Enterprise Agent leaves that separate command injection vulnerability unaddressed.
Affected Systems and Versions
CVE-2026-47370 affects the entire UniFi hardware console line running UniFi OS. The specific vulnerable version ranges are:
UniFi OS 5.x devices (most of the product line):
- UDM, UDM Pro, UDM SE, UDM Pro Max: versions 5.1.12 and earlier
- UDM Beast: versions 5.1.11 and earlier
- Enterprise Fortress Gateway (EFG), UDW: versions 5.1.12 and earlier
- UDR, UDR7, UDR 5G: versions 5.1.12 and earlier
- Express 7: versions 5.1.12 and earlier
- UCK, UCKP, UCK Enterprise (Cloud Keys): versions 5.1.12 and earlier
- UNVR, UNVR Pro, UNVR Instant, UNVR G2, UNVR G2 Pro: versions 5.1.12 and earlier
- ENVR, ENVR Core: versions 5.1.12 and earlier
- UCG Ultra, UCG Max, UCG Industrial, UCG Fiber (Cloud Gateways): versions 5.1.12 and earlier
UNAS devices:
- UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8: versions 5.1.10 and earlier
Express:
- Express: versions 4.0.14 and earlier
UniFi OS Server (self hosted):
- Versions 5.0.8 and earlier
Vendor Security History
Ubiquiti's recent security track record shows a pattern of critical vulnerabilities concentrated in the UniFi OS platform over a short timeframe:
| Advisory | Date | CVEs | Severity | Vulnerability Types |
|---|---|---|---|---|
| UniFi Network App | March 2026 | CVE-2026-22557, CVE-2026-22558 | CVSS 10.0, High | Path traversal, NoSQL injection |
| Bulletin 064 | May 21, 2026 | CVE-2026-34908, 34909, 34910, 34911 | 3x CVSS 10.0, 1x CVSS 7.7 | Improper access control, path traversal, command injection |
| Bulletin 065 | June 10, 2026 | CVE-2026-47367, 47368, 47369, 47370, 48610 | 3x CVSS 9.9 | Command injection, privilege escalation, path traversal, improper access control |
Three critical advisories within a three month window, each containing maximum or near maximum severity vulnerabilities exploitable remotely, points to a systemic weakness in how UniFi OS handles input sanitization across its components rather than isolated coding errors. The recurring vulnerability types (improper input validation leading to command injection, path traversal enabling further access, privilege escalation) suggest these issues share common architectural roots.
Ubiquiti operates a coordinated vulnerability disclosure program through HackerOne, which is a positive security practice. However, the frequency and severity of recent disclosures indicates the platform's security architecture requires deeper investment in secure development practices, particularly around input validation and command execution paths.
References
- NVD: CVE-2026-47370
- Ubiquiti Security Advisory Bulletin 065
- Security Advisory Bulletin 065 Community Discussion
- SecurityOnline: Critical 9.9 CVSS Ubiquiti UniFi OS Vulnerabilities Exposed
- Bishop Fox: Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection Analysis
- Reddit PSA: Security Advisory Bulletin 065
- Ubiquiti Security Advisory Bulletin 064
- BleepingComputer: Ubiquiti patches three max severity UniFi OS vulnerabilities
- Singapore CSA: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- Truesec: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- OpenCVE: Ubiquiti CVEs and Security Vulnerabilities



