External risk intelligence

UniFi Protect SSRF Vulnerability Allows Privilege Escalation

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-55115

UniFi Protect applications are commonly deployed as network-attached video management systems. While often behind firewalls, they are frequently configured with port forwarding or remote access enabled to allow for internet-based viewing of security camera feeds, making the management interface reachable from the public internet in many common deployment patterns.

Server-Side Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in UniFi Protect Application could allow a low-privilege attacker with network access to gain elevated control over the host device. This issue is significant due to the common use of UniFi Protect as a network-attached video management system, which is often accessible externally for remote viewing of security camera feeds. Confirming relevance and exposure is the main concern at this time.

  • Unauthenticated network actors can escalate privileges.
  • Protects video management systems from unauthorized control.
  • Verify if your UniFi Protect is exposed and needs review.

Attack Path

How an attacker could exploit the issue

A potentially malicious actor who can access the network and has minimal user rights could exploit this vulnerability. By sending specially crafted requests, they could trick the UniFi Protect Application into making unintended connections to internal or external resources. This could allow the attacker to gain higher privileges on the device hosting the application.

  • Entry condition: Network access with low privileges.
  • Trigger point: Server-Side Request Forgery in the application.
  • Resulting risk: Privilege escalation on the host device.

Live Threat

Current exploitation, exposure, and threat context

A malicious actor with low-level network access could exploit a Server-Side Request Forgery vulnerability within the UniFi Protect Application. This exploit could allow the actor to escalate privileges on the host device, potentially gaining unauthorized control over the system.

  • System access and control.
  • Exploiting network access to the application.
  • Unauthorized privilege escalation.

Operational Fix

Recommended remediation, mitigation, and detection steps

This Server-Side Request Forgery vulnerability in UniFi Protect Application, allowing privilege escalation on the host device, likely requires action from Infrastructure and Security teams. The first practical step is to identify all UniFi Protect instances, determine their network reachability, assess their criticality, and confirm the accountable owner before planning remediation.

  • Infrastructure and Security teams own this.
  • Verify UniFi Protect instances and reachability.
  • Plan remediation based on exposure and criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the UniFi Protect Application?

UniFi Protect is a software application used to manage and record security camera feeds. It functions as a central hub for video surveillance, often running on dedicated network-attached hardware or specialized server appliances to store footage and provide monitoring access.

What does Server-Side Request Forgery mean in CVE-2026-55115?

This vulnerability is classified as CWE-918, or Server-Side Request Forgery. It occurs when an application is tricked into sending requests to unintended locations. In this case, the flaw allows a low-privilege user to force the application to interact with resources it should not access, ultimately enabling them to gain unauthorized administrative control over the host device.

How is this vulnerability triggered?

An attacker must have existing network access and low-level user privileges to trigger the flaw. Simply browsing the application's standard user interface for viewing video does not trigger the bug; the attacker must be able to send specially crafted requests designed to manipulate the application's internal communication processes.

Is my UniFi Protect installation at risk?

According to Halo Surface Signal, risk depends on how your system is deployed. While these systems are typically on internal networks, many are configured with port forwarding or remote access features to allow viewing camera feeds from the internet. If your management interface is reachable from the public internet, the potential for unauthorized access is higher.

What should I do if I run UniFi Protect?

Begin by auditing your environment to locate all active UniFi Protect instances. Once identified, evaluate the network accessibility of each device to determine if it is reachable from outside your local network. Prioritize these instances based on their criticality and ensure you have identified the appropriate team members responsible for applying upcoming official updates.

References