ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-48610 Improper Access Control in Ubiquiti UniFi OS Cloud Gateways

A short review of CVE-2026-48610, a CVSS 8.1 improper access control vulnerability in Ubiquiti UniFi OS Cloud Gateways and Dream Machines that allows network adjacent attackers to make unauthorized configuration changes. Includes patch details and affected version information.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-11

Brief Summary: CVE-2026-48610 Improper Access Control in Ubiquiti UniFi OS Cloud Gateways
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Ubiquiti's UniFi OS Cloud Gateways and Dream Machines serve as the central management plane for thousands of network deployments, making any access control bypass on these devices a direct path to unauthorized infrastructure changes. CVE-2026-48610, disclosed on June 12, 2026 as part of Ubiquiti Security Advisory Bulletin 065, is a CVSS 8.1 improper access control flaw that allows a network adjacent attacker to modify device configurations without authorization, and it arrives in the context of three consecutive critical security bulletins affecting the same platform in under three months.

Technical Information

Root Cause and Classification

CVE-2026-48610 is classified under CWE-284 (Improper Access Control), a weakness category encompassing failures to properly enforce permissions, privileges, or other security features intended to limit what users or processes can do. The CNA assigned CVSS v3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.1 (High). As of the NVD publication date, NIST has not yet provided its own independent CVSS assessment.

The vulnerability exists in the UniFi OS firmware running on Ubiquiti's Cloud Gateway and Dream Machine product families. Per the NVD entry and Ubiquiti's advisory, "under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices."

Attack Vector Analysis

The CVSS vector specifies AC:H (Attack Complexity: High), indicating that exploitation depends on conditions beyond the attacker's control. The phrase "under certain network configurations" in the advisory description reinforces this: not all deployments are equally vulnerable, and specific setup conditions may amplify or reduce exploitability. Ubiquiti has not publicly disclosed which configurations increase risk.

The PR:N (Privileges Required: None) component is notable. This means the attacker does not need any authenticated session or credentials on the target device to exploit the flaw. Combined with AV:N (Network attack vector), the vulnerability is accessible to any attacker who can reach the device over the network, whether from an adjacent VLAN, a shared VPN segment, a guest Wi-Fi network, or a compromised peer device on the same LAN.

Community analysis on Reddit clarified that the Bulletin 065 vulnerabilities require local network access to exploit and lack direct remote execution capability, distinguishing them from the prior Bulletin 064 vulnerabilities which featured unauthenticated remote code execution with CVSS 10.0 scores. However, the effective attack surface may be broader than a simple "physical LAN" interpretation if management interfaces are reachable across network boundaries.

Impact

The impact ratings across all three CIA triad dimensions are High: confidentiality, integrity, and availability are all fully impacted. In practical terms, CWE-284 vulnerabilities in network device contexts typically enable an attacker to:

  • Modify device configurations and security policies
  • Alter or create administrative accounts
  • Reconfigure network settings (firewall rules, routing, VLAN assignments)
  • Potentially disrupt device availability

Exploitation Mechanism

While the exact technical mechanism has not been publicly detailed by Ubiquiti or the discovering researcher, the CWE-284 classification and the CVSS vector provide meaningful constraints. The vulnerability likely involves bypassing role-based access controls, API authentication checks, or session management on the UniFi OS management interface. An attacker with network reachability to the device could leverage this bypass to issue configuration changes that would normally require administrative authentication.

Chaining Considerations

This vulnerability was disclosed alongside four other flaws in Bulletin 065:

CVECVSSType
CVE-2026-473699.9Command Injection / Privilege Escalation
CVE-2026-473709.9Command Injection / Privilege Escalation
CVE-2026-473688.6Path Traversal
CVE-2026-486108.1Improper Access Control

The bulletin explicitly warns that CVE-2026-47368 (the path traversal flaw) can be chained with other vulnerabilities to bypass authentication requirements. This is consistent with prior behavior: BleepingComputer reported that attackers previously chained three Bulletin 064 vulnerabilities in UniFi OS to execute remote code with root privileges without authentication. The demonstrated chaining precedent means that CVE-2026-48610 could serve as a component in a multi-step attack chain rather than merely a standalone flaw, potentially amplifying the total impact well beyond what the 8.1 score alone suggests.

CVSS Scoring Note

The 8.1 CVSS score originates from the CNA (submitter) rather than NIST's independent analysis. The NVD entry notes "NVD assessment not yet provided." Administrators should monitor the NVD page for updated scoring as NIST completes its review.

Patch Information

Ubiquiti addressed CVE-2026-48610 through firmware updates detailed in Security Advisory Bulletin 065, published on June 10, 2026. Because UniFi OS is proprietary firmware, there are no public source code commits or diffs to inspect. The fix was delivered exclusively through over the air (or manually applied) firmware upgrades.

The scope of affected devices for this specific CVE is narrower than some of the other vulnerabilities in the same bulletin. Only Ubiquiti's Cloud Gateway and Dream Machine product families are impacted, not the Cloud Keys, NVRs, NAS devices, or the standalone Express. The exact affected product list and patched firmware versions are:

Affected DevicesVulnerable VersionFixed Version
UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber5.1.12 and earlier5.1.15 or later
UDM-Beast5.1.11 and earlier5.1.15 or later

The corresponding release notes for UniFi OS Cloud Gateways 5.1.15 explicitly confirm the fix with the entry: "Fixed the security issues mentioned in Security Advisory Bulletin 065." Alongside the security fix, version 5.1.15 also bundled UniFi Network 10.4.57, improved system stability, and resolved unrelated bugs around DNS over IPv6 and WAN DHCP handling.

Because firmware version 5.1.15 is a composite security release addressing the entire attack surface disclosed in Bulletin 065 (including two CVSS 9.9 command injection and privilege escalation flaws and an 8.6 path traversal vulnerability that can be chained to bypass authentication), the upgrade is particularly urgent. Administrators should verify their device firmware via the UniFi OS dashboard or the Ubiquiti mobile app to confirm version 5.1.15 (or later) is active.

Compensating controls while patches are being deployed:

MitigationPriorityDetails
Update to UniFi OS 5.1.15+CriticalPrimary remediation per vendor advisory
Network segmentationHighRestrict access to management interfaces via dedicated VLANs
Disable WAN exposed managementHighEliminate remote exploitation vector; use VPN for remote admin
Audit log reviewMediumCheck for unauthorized configuration changes or unexpected admin accounts
Self-hosted controllerMediumReduces cloud connected attack surface

Affected Systems and Versions

CVE-2026-48610 affects Ubiquiti's Cloud Gateway and Dream Machine product families running UniFi OS. The specific affected devices and version ranges are:

Vulnerable at version 5.1.12 and earlier:

  • UDM (UniFi Dream Machine)
  • UDM-Pro
  • UDM-SE
  • UDM-Pro-Max
  • EFG
  • UDW
  • UDR
  • UDR7
  • UDR-5G
  • Express 7
  • UCG-Ultra
  • UCG-Max
  • UCG-Industrial
  • UCG-Fiber

Vulnerable at version 5.1.11 and earlier:

  • UDM-Beast

Not affected by this specific CVE (though affected by other Bulletin 065 vulnerabilities):

  • Cloud Keys (UCK, UCKP, UCK-Enterprise)
  • NVR devices
  • NAS devices
  • Standalone Express

All listed devices are remediated in UniFi OS version 5.1.15 or later.

The vulnerability is configuration dependent. The advisory states exploitation requires "certain network configurations," though Ubiquiti has not specified which configurations increase exposure. Deployments where management interfaces are reachable from untrusted network segments (guest Wi-Fi, shared VPNs, insufficiently segmented VLANs) carry elevated risk.

Vendor Security History

Ubiquiti's security posture in 2026 has drawn significant concern from the security community. The company has published at least three Security Advisory Bulletins addressing critical vulnerabilities in approximately three months:

BulletinDateKey CVEsMax CVSSVulnerability Types
Bulletin 062March 18, 2026CVE-2026-22557, CVE-2026-2255810.0Path traversal (unauthenticated), NoSQL injection (authenticated)
Bulletin 064May 21, 2026CVE-2026-34908, CVE-2026-34909, CVE-2026-3491010.0Improper access control, path traversal, command injection
Bulletin 065June 10, 2026CVE-2026-48610 + 3 others9.9Improper access control, command injection, privilege escalation, path traversal

The OpenCVE database lists at least 31 CVEs attributed to Ubiquiti across its product lines, with multiple CVSS 10.0 entries. The pattern of maximum severity vulnerabilities in core platform software occurring in rapid succession suggests systemic weaknesses in Ubiquiti's secure development lifecycle, particularly around input validation and access control enforcement.

Beyond the 2026 bulletins, Ubiquiti has a history of significant security issues, including legacy CVEs from 2019 involving weak AES-CBC encryption (CVE-2019-25651, CVSS 8.3) and improper certificate verification in SMTP connections (CVE-2019-25652, CVSS 7.5). Earlier product lines including airMAX, UBB, and UniFi Play have also been affected by remote code execution vulnerabilities.

From a threat intelligence perspective, Ubiquiti devices have been specifically targeted by state-sponsored threat actors. In February 2024, the FBI dismantled a botnet of compromised Ubiquiti Edge OS routers operated by Russia's GRU (Unit 26165) for proxying malicious traffic against the United States and allied nations.

Community sentiment has also been notable. Users on the r/UNIFI subreddit have reported difficulty accessing official security bulletins on Ubiquiti's community platform, with persistent errors on the community.ui.com pages. Multiple users expressed frustration with unreliable security notification emails, effectively extending the window of exposure by delaying administrator awareness. Some users have reported isolating devices from cloud management entirely, with others describing the cloud connected architecture as a "total security disaster."

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization