A significant vulnerability in the UniFi OS Server software has placed numerous organizations at potential risk. This flaw, uncovered by cybersecurity experts, permits attackers to achieve root access on affected devices without using any credentials, posing a severe threat to system security.
UniFi OS Server is a critical management platform for various UniFi applications, such as Network, Protect, and identity services. It operates through backend services managed by a single Nginx front end, which is responsible for terminating TLS, handling authentication, and directing requests appropriately. The vulnerability lies within this proxy mechanism, which forms the core of the security model.
Security Breach in UniFi OS Proxy
Experts at BishopFox identified this vulnerability, confirming that a solitary request to a UniFi OS Server can result in a reverse shell with root privileges. The server controls essential network management tasks, exposing all stored secrets and potentially allowing attackers to maintain admin sessions post-patching. This could compromise physical security elements like door controls and cameras.
On May 13, 2025, Ubiquiti issued Security Advisory Bulletin SAB-013, detailing five vulnerabilities within the UniFi OS device family. These vulnerabilities, including improper access control and path traversal issues, are rated CVSS 10.0 Critical. Exploiting these flaws requires access to the admin interface, typically accessible via TCP port 443.
Analysis of the Attack Chain
The vulnerability consists of a three-part attack. Initially, the attacker bypasses the authentication gateway. Nginx uses an auth_request subrequest to the unifi-core Node service to verify request authenticity. The flaw arises due to a discrepancy between the raw and normalized URI views, allowing unauthorized access through crafted requests.
The second phase involves reaching the command injection point. Here, a package-update route in the backend constructs a command string without validating user input, leading to potential command injection. The absence of input validation allows shell metacharacters to be executed, facilitating arbitrary command execution.
The final phase escalates privileges to root. While the injected command initially runs under a service account, this account has passwordless sudo privileges on several system commands, enabling full root-level control when exploited.
Immediate Actions for Mitigation
Ubiquiti has addressed these vulnerabilities in UniFi OS Server 3.2.12. The update includes a URI-normalization guard to close the gateway bypass, input validation in the package-update backend, and reduced sudo privileges for the ucs-update account. Organizations are urged to apply this patch promptly, rotate JWT signing keys, logout all sessions, and reset database credentials to enhance security.
To mitigate risk, limit external access to the web interface, confining it to a management network to prevent unauthorized internet access to the gateway. Given the nature of the exploit, there is no failed-login log trail, making proactive security measures crucial.
.webp?ssl=1 "Top User Access Management Tools for 2026")
