External risk intelligence

UniFi OS devices allow attackers with existing access to run commands and control your systems.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-33000

An internal attacker with high-level access to UniFi OS devices can misuse input features to run unauthorized commands. This could allow them to gain total control over critical network infrastructure and install persistent access.

3Halo Surface Signal

Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-33000

The vulnerability affects the management interface of UniFi OS devices. These products are often deployed as edge gateways, but their administrative portals are typically intended for internal use rather than public internet exposure. While reachability exists in some configurations, it is not a standard design pattern to expose these specific management interfaces to the open internet.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An Improper Input Validation flaw in UniFi OS allows a privileged user on the network to execute commands. This is serious because it can let an attacker take full control of affected devices.

  • Could lead to full device compromise.
  • Affects users with high network privileges.
  • Requires attacker to be on the network.

Attack Path

How an attacker could exploit the issue

An attacker with high network privileges could exploit this flaw to gain root access on UniFi OS devices. This would allow them to execute arbitrary commands, potentially leading to complete system compromise and data theft.

  • High privileges required.
  • Targets UniFi OS management interface.
  • Network access is sufficient.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows for command injection on UniFi OS devices but requires network access and high privileges. While the vulnerability is critical, the prerequisite of authenticated access makes it less appealing for mass exploitation. Attackers would likely target specific, high-value networks where they already have a foothold.

  • Requires prior network access.
  • Requires high privilege level.
  • No known exploit in the wild.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize containment and active monitoring for affected UniFi OS devices. Given the critical severity and potential for command injection with high privileges, immediate isolation of any suspected compromised systems is crucial. Focus on identifying unauthorized network access and command execution attempts within your UniFi environment.

  • Isolate affected UniFi OS devices.
  • Monitor network traffic for suspicious commands.
  • Investigate access logs for privilege escalation.

Frequently asked questions

What is UniFi OS and what is it used for?

UniFi OS is the operating system that runs on various Ubiquiti UniFi devices, such as gateways and network controllers. It is used to manage and control network infrastructure, providing features for network security, performance monitoring, and device configuration.

How does the CVE-2026-33000 vulnerability work?

CVE-2026-33000 is an Improper Input Validation vulnerability. This means the software does not correctly check the data it receives, allowing a malicious actor to inject and execute commands on the affected UniFi OS devices. This could lead to a complete compromise of the device.

What are the conditions needed to trigger CVE-2026-33000?

To exploit this vulnerability, an attacker must already have network access and possess high privileges on the UniFi OS device. The vulnerability is not triggered by unauthorized users or by simply accessing the device's management interface without the necessary permissions.

Who should be concerned about this UniFi OS vulnerability?

Organizations using UniFi OS devices should be concerned. While the vulnerability requires privileged network access, which often means internal access, the potential for control over network devices makes it relevant for maintaining network integrity.

What is the first step to respond to this threat?

The immediate first step is to isolate any potentially affected UniFi OS devices from the network to prevent further compromise. It is also crucial to closely monitor network traffic for any suspicious command executions and review access logs for signs of unauthorized activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished