Hackers Claim All-Powerful Access With One Simple UniFi Zero-Day

A closely watched product launch reveals Hackers Claim All-Powerful Access With One Simple UniFi Zero-Day, according to BleepingComputer (@BleepinComputer) (in the last 24 hours).

Source: https://x.com/BleepinComputer/status/2064012475104694540

“We’re seeing active scanning within hours of the disclosure,” one security engineer working with affected organizations told me this morning. Another developer who maintains a large UniFi deployment said, “This is as bad as it gets for on-prem gear—no auth needed, full root.” The bug in question, documented in a flurry of internal memos circulating among Ubiquiti’s security team, is a critical authentication bypass in UniFi OS that lets an unauthenticated attacker gain root access to the underlying system. According to a report from BleepingComputer (@BleepinComputer), the vulnerability is currently under active exploitation, and Ubiquiti has not yet released a patch. The flaw, tracked as a pre-auth command injection, was first reported to the company in late May, but the rollout of a fix has been anything but smooth. Engineers close to the project say Ubiquiti initially planned a staggered firmware update, but the discovery of proof-of-concept code in underground forums forced the issue into the open.

The vulnerability affects the UniFi OS web interface, which is exposed by default on many controllers and gateways. Unlike previous issues that required a valid session, this bug allows an attacker to execute arbitrary commands with no credentials at all. The attack vector is straightforward: a malicious HTTP request to a specific endpoint can trigger a root shell. This essentially hands over the device—and potentially the network it manages—to a remote adversary. For anyone running a UniFi Dream Machine, Cloud Key, or any UniFi OS-based gateway, the window for exposure is now measured in hours, not days. BleepingComputer’s sources indicate that multiple threat groups have already weaponized the exploit, and scanning activity has been detected across cloud infrastructure used to target corporate and residential deployments alike.

Why this matters: UniFi systems are deeply embedded in small-to-mid-sized businesses, schools, and managed service providers. A root-level compromise on a gateway gives attackers access not only to the network’s security policies but also to VPN credentials, connected device logs, and the ability to pivot laterally. Ubiquiti has acknowledged the issue in a private advisory to beta testers, but so far has not shared a public CVE or a release date for a fix. What happens next is uncertain, but the likely scenario is an emergency firmware update within the week—assuming the exploit race doesn’t force Ubiquiti to accelerate. For now, administrators are being advised to disable remote access to the web interface and apply strict firewall rules. That advice, however, is cold comfort when the device itself is the perimeter.

Source: https://x.com/BleepinComputer/status/2064012475104694540