Ubiquiti patches three max severity UniFi OS vulnerabilities
BleepingComputer • • technology
Key Points:
- Ubiquiti has released security updates addressing three maximum severity vulnerabilities in UniFi OS that allow remote attackers to exploit systems without privileges, including improper access control, path traversal, and command injection flaws.
- Additional patches were issued for a critical command injection vulnerability and a high-severity information disclosure flaw affecting UniFi OS devices, with all issues reported via Ubiquiti's HackerOne bug bounty program.
- Nearly 100,000 UniFi OS endpoints are exposed on the internet, mostly in the United States, though it is unclear how many have been secured against these recent vulnerabilities.
- Ubiquiti has faced multiple severe vulnerabilities in recent months, including account takeover and privilege escalation flaws, and its products have been targeted by state-sponsored hackers and cybercriminals to build botnets.
- Notably, in February 2024, the FBI dismantled the Moobot botnet composed of compromised Ubiquiti Edge OS routers used by Russian intelligence for cyberespionage against the US and allies.