Introduction
Ubiquiti's UniFi OS Cloud Gateways and Dream Machines serve as the central management plane for thousands of network deployments, making any access control bypass on these devices a direct path to unauthorized infrastructure changes. CVE-2026-48610, disclosed on June 12, 2026 as part of Ubiquiti Security Advisory Bulletin 065, is a CVSS 8.1 improper access control flaw that allows a network adjacent attacker to modify device configurations without authorization, and it arrives in the context of three consecutive critical security bulletins affecting the same platform in under three months.
Technical Information
Root Cause and Classification
CVE-2026-48610 is classified under CWE-284 (Improper Access Control), a weakness category encompassing failures to properly enforce permissions, privileges, or other security features intended to limit what users or processes can do. The CNA assigned CVSS v3.1 vector is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, yielding a score of 8.1 (High). As of the NVD publication date, NIST has not yet provided its own independent CVSS assessment.
The vulnerability exists in the UniFi OS firmware running on Ubiquiti's Cloud Gateway and Dream Machine product families. Per the NVD entry and Ubiquiti's advisory, "under certain network configurations, a malicious actor with access to network could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices."
Attack Vector Analysis
The CVSS vector specifies AC:H (Attack Complexity: High), indicating that exploitation depends on conditions beyond the attacker's control. The phrase "under certain network configurations" in the advisory description reinforces this: not all deployments are equally vulnerable, and specific setup conditions may amplify or reduce exploitability. Ubiquiti has not publicly disclosed which configurations increase risk.
The PR:N (Privileges Required: None) component is notable. This means the attacker does not need any authenticated session or credentials on the target device to exploit the flaw. Combined with AV:N (Network attack vector), the vulnerability is accessible to any attacker who can reach the device over the network, whether from an adjacent VLAN, a shared VPN segment, a guest Wi-Fi network, or a compromised peer device on the same LAN.
Community analysis on Reddit clarified that the Bulletin 065 vulnerabilities require local network access to exploit and lack direct remote execution capability, distinguishing them from the prior Bulletin 064 vulnerabilities which featured unauthenticated remote code execution with CVSS 10.0 scores. However, the effective attack surface may be broader than a simple "physical LAN" interpretation if management interfaces are reachable across network boundaries.
Impact
The impact ratings across all three CIA triad dimensions are High: confidentiality, integrity, and availability are all fully impacted. In practical terms, CWE-284 vulnerabilities in network device contexts typically enable an attacker to:
- Modify device configurations and security policies
- Alter or create administrative accounts
- Reconfigure network settings (firewall rules, routing, VLAN assignments)
- Potentially disrupt device availability
Exploitation Mechanism
While the exact technical mechanism has not been publicly detailed by Ubiquiti or the discovering researcher, the CWE-284 classification and the CVSS vector provide meaningful constraints. The vulnerability likely involves bypassing role-based access controls, API authentication checks, or session management on the UniFi OS management interface. An attacker with network reachability to the device could leverage this bypass to issue configuration changes that would normally require administrative authentication.
Chaining Considerations
This vulnerability was disclosed alongside four other flaws in Bulletin 065:
| CVE | CVSS | Type |
|---|---|---|
| CVE-2026-47369 | 9.9 | Command Injection / Privilege Escalation |
| CVE-2026-47370 | 9.9 | Command Injection / Privilege Escalation |
| CVE-2026-47368 | 8.6 | Path Traversal |
| CVE-2026-48610 | 8.1 | Improper Access Control |
The bulletin explicitly warns that CVE-2026-47368 (the path traversal flaw) can be chained with other vulnerabilities to bypass authentication requirements. This is consistent with prior behavior: BleepingComputer reported that attackers previously chained three Bulletin 064 vulnerabilities in UniFi OS to execute remote code with root privileges without authentication. The demonstrated chaining precedent means that CVE-2026-48610 could serve as a component in a multi-step attack chain rather than merely a standalone flaw, potentially amplifying the total impact well beyond what the 8.1 score alone suggests.
CVSS Scoring Note
The 8.1 CVSS score originates from the CNA (submitter) rather than NIST's independent analysis. The NVD entry notes "NVD assessment not yet provided." Administrators should monitor the NVD page for updated scoring as NIST completes its review.
Patch Information
Ubiquiti addressed CVE-2026-48610 through firmware updates detailed in Security Advisory Bulletin 065, published on June 10, 2026. Because UniFi OS is proprietary firmware, there are no public source code commits or diffs to inspect. The fix was delivered exclusively through over the air (or manually applied) firmware upgrades.
The scope of affected devices for this specific CVE is narrower than some of the other vulnerabilities in the same bulletin. Only Ubiquiti's Cloud Gateway and Dream Machine product families are impacted, not the Cloud Keys, NVRs, NAS devices, or the standalone Express. The exact affected product list and patched firmware versions are:
| Affected Devices | Vulnerable Version | Fixed Version |
|---|---|---|
| UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UCG-Ultra, UCG-Max, UCG-Industrial, UCG-Fiber | 5.1.12 and earlier | 5.1.15 or later |
| UDM-Beast | 5.1.11 and earlier | 5.1.15 or later |
The corresponding release notes for UniFi OS Cloud Gateways 5.1.15 explicitly confirm the fix with the entry: "Fixed the security issues mentioned in Security Advisory Bulletin 065." Alongside the security fix, version 5.1.15 also bundled UniFi Network 10.4.57, improved system stability, and resolved unrelated bugs around DNS over IPv6 and WAN DHCP handling.
Because firmware version 5.1.15 is a composite security release addressing the entire attack surface disclosed in Bulletin 065 (including two CVSS 9.9 command injection and privilege escalation flaws and an 8.6 path traversal vulnerability that can be chained to bypass authentication), the upgrade is particularly urgent. Administrators should verify their device firmware via the UniFi OS dashboard or the Ubiquiti mobile app to confirm version 5.1.15 (or later) is active.
Compensating controls while patches are being deployed:
| Mitigation | Priority | Details |
|---|---|---|
| Update to UniFi OS 5.1.15+ | Critical | Primary remediation per vendor advisory |
| Network segmentation | High | Restrict access to management interfaces via dedicated VLANs |
| Disable WAN exposed management | High | Eliminate remote exploitation vector; use VPN for remote admin |
| Audit log review | Medium | Check for unauthorized configuration changes or unexpected admin accounts |
| Self-hosted controller | Medium | Reduces cloud connected attack surface |
Affected Systems and Versions
CVE-2026-48610 affects Ubiquiti's Cloud Gateway and Dream Machine product families running UniFi OS. The specific affected devices and version ranges are:
Vulnerable at version 5.1.12 and earlier:
- UDM (UniFi Dream Machine)
- UDM-Pro
- UDM-SE
- UDM-Pro-Max
- EFG
- UDW
- UDR
- UDR7
- UDR-5G
- Express 7
- UCG-Ultra
- UCG-Max
- UCG-Industrial
- UCG-Fiber
Vulnerable at version 5.1.11 and earlier:
- UDM-Beast
Not affected by this specific CVE (though affected by other Bulletin 065 vulnerabilities):
- Cloud Keys (UCK, UCKP, UCK-Enterprise)
- NVR devices
- NAS devices
- Standalone Express
All listed devices are remediated in UniFi OS version 5.1.15 or later.
The vulnerability is configuration dependent. The advisory states exploitation requires "certain network configurations," though Ubiquiti has not specified which configurations increase exposure. Deployments where management interfaces are reachable from untrusted network segments (guest Wi-Fi, shared VPNs, insufficiently segmented VLANs) carry elevated risk.
Vendor Security History
Ubiquiti's security posture in 2026 has drawn significant concern from the security community. The company has published at least three Security Advisory Bulletins addressing critical vulnerabilities in approximately three months:
| Bulletin | Date | Key CVEs | Max CVSS | Vulnerability Types |
|---|---|---|---|---|
| Bulletin 062 | March 18, 2026 | CVE-2026-22557, CVE-2026-22558 | 10.0 | Path traversal (unauthenticated), NoSQL injection (authenticated) |
| Bulletin 064 | May 21, 2026 | CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 | 10.0 | Improper access control, path traversal, command injection |
| Bulletin 065 | June 10, 2026 | CVE-2026-48610 + 3 others | 9.9 | Improper access control, command injection, privilege escalation, path traversal |
The OpenCVE database lists at least 31 CVEs attributed to Ubiquiti across its product lines, with multiple CVSS 10.0 entries. The pattern of maximum severity vulnerabilities in core platform software occurring in rapid succession suggests systemic weaknesses in Ubiquiti's secure development lifecycle, particularly around input validation and access control enforcement.
Beyond the 2026 bulletins, Ubiquiti has a history of significant security issues, including legacy CVEs from 2019 involving weak AES-CBC encryption (CVE-2019-25651, CVSS 8.3) and improper certificate verification in SMTP connections (CVE-2019-25652, CVSS 7.5). Earlier product lines including airMAX, UBB, and UniFi Play have also been affected by remote code execution vulnerabilities.
From a threat intelligence perspective, Ubiquiti devices have been specifically targeted by state-sponsored threat actors. In February 2024, the FBI dismantled a botnet of compromised Ubiquiti Edge OS routers operated by Russia's GRU (Unit 26165) for proxying malicious traffic against the United States and allied nations.
Community sentiment has also been notable. Users on the r/UNIFI subreddit have reported difficulty accessing official security bulletins on Ubiquiti's community platform, with persistent errors on the community.ui.com pages. Multiple users expressed frustration with unreliable security notification emails, effectively extending the window of exposure by delaying administrator awareness. Some users have reported isolating devices from cloud management entirely, with others describing the cloud connected architecture as a "total security disaster."
References
- CVE-2026-48610 Detail, NVD
- Security Advisory Bulletin 065, Ubiquiti Community
- UniFi OS Cloud Gateways 5.1.15 Release Notes
- PT Security Vulnerability Database: PT-2026-48825
- Security Advisory Bulletin 065 Discussion, Ubiquiti Community
- Reddit r/UNIFI: PSA Security Advisory Bulletin 065
- TrueSec: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- Security Advisory Bulletin 064, Ubiquiti Community
- Security Advisory Bulletin 062, Ubiquiti Community
- Cyber Security Agency of Singapore: Multiple Vulnerabilities in Ubiquiti UniFi Network Application
- OpenCVE: Ubiquiti CVEs and Security Vulnerabilities
- OpenText Cybersecurity: Critical UniFi OS Bug Lets Hackers Gain Root Without Authentication



