External risk intelligence

UniFi OS Command Injection Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-47370

An improper input validation vulnerability in UniFi OS devices allows a low-privilege network attacker to execute commands, potentially compromising the device. This issue is critical due to the common use of UniFi OS for network management and control, which may expose these devices to reachability.

4Halo Surface Signal

Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-47370

UniFi OS devices are commonly deployed as network controllers, gateways, and management appliances that are frequently exposed to the internet or accessible via remote management interfaces, making the vulnerable command injection surface reachable in typical deployments.

PCI scan relevance

PCI Relevance for CVE-2026-47370

Yes

CVE-2026-47370 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for command injection, which is a direct violation of PCI DSS requirements for external scans and would cause a scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in UniFi OS devices, allowing a low-privilege attacker on the network to potentially take control of these devices. This issue arises from improper handling of input data, which could lead to the execution of arbitrary commands. The primary concern is confirming whether our environment utilizes these specific devices and, if so, understanding the potential exposure.

  • Unvalidated input allows remote command execution.
  • Critical flaw impacts network control and management devices.
  • Confirm relevance and assess exposure to affected devices.

Attack Path

How an attacker could exploit the issue

An attacker with network access and basic user privileges could exploit this vulnerability. By sending specially crafted input, they can trick the device into executing arbitrary commands on the UniFi OS system, potentially leading to a complete compromise of the device.

  • Network access and low privileges required.
  • Vulnerable to improper input validation.
  • Allows command injection and system compromise.

Live Threat

Current exploitation, exposure, and threat context

A malicious actor with low-level network access could exploit this vulnerability to execute arbitrary commands on affected UniFi OS devices. This could potentially lead to a compromise of the device's integrity and control.

  • Asset at risk: UniFi OS devices.
  • How exposure could happen: Network access with low privileges.
  • Realistic consequence: Compromised device integrity and control.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability impacts UniFi OS devices, likely managed by network or security teams. The immediate first step is to identify all instances of the affected technology, determine their network exposure and business criticality, and locate the accountable owner. Remediation planning should then proceed based on assessed risk.

  • Network and security teams own the issue.
  • Verify external reachability and business criticality.
  • Plan coordinated remediation based on risk.

Frequently asked questions

What is UniFi OS?

UniFi OS is a centralized software platform used to manage networking hardware, such as gateways, network controllers, and various site management appliances. It provides the interface and system foundation that administrators use to configure, monitor, and maintain their network infrastructure, often acting as the primary control point for connected devices.

What does CWE-20 mean for CVE-2026-47370?

CWE-20 refers to Improper Input Validation. In the context of this vulnerability, it means the software does not properly check or sanitize the data provided by a user before processing it. Because of this weakness, an attacker can supply specially crafted input that the system mistakenly interprets as valid commands, allowing them to force the device to execute unauthorized actions.

How is this command injection triggered?

This vulnerability is triggered when a user who already has low-level network access provides malicious input to the UniFi OS system. It is important to note that this requires at least basic user privileges on the network; it is not triggered by simple, unauthenticated traffic from an anonymous internet user. The device must be able to process the crafted input through an affected interface for the injection to succeed.

Do I need to worry if my device is on the internet?

Yes, you should prioritize assessment. Halo Surface Signal indicates that UniFi OS devices are frequently used as gateways or management appliances, which are often placed in internet-facing roles. If your device is reachable from the public internet, it significantly increases the likelihood that a malicious actor could attempt to reach the management interface to exploit this command injection.

What are the first steps to secure my environment?

Begin by creating a complete inventory of all UniFi OS instances in your environment. Once identified, determine which devices are accessible from the network or internet and assign ownership to the appropriate technical team. Finally, monitor official vendor channels for update availability and prepare to apply patches as soon as they are released to mitigate the risk of unauthorized system control.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished