Critical RCE Chain in Ubiquiti UniFi OS Server Grants Root Access Without Authentication

A critical vulnerability chain discovered in Ubiquiti's UniFi OS Server software poses a significant risk to organizations, enabling attackers to achieve full root access to affected devices without any credentials. This exploit chain begins with an unauthenticated request and can lead to a complete system takeover.

UniFi OS Server serves as the management platform for Ubiquiti's UniFi applications, including Network and Protect, and handles identity and update services. The server's security model relies heavily on its proxy function, which authenticates requests before forwarding them to internal services. It was within this authentication gateway that researchers identified the initial exploit vector.

Security researchers at BishopFox detailed the end-to-end attack chain, confirming that a single, unauthenticated request to a vulnerable UniFi OS Server can result in a reverse shell with root privileges. The severity of this vulnerability is amplified by the fact that the UniFi OS Server is the central management plane for the network it operates on. Gaining root access exposes all stored secrets, allows attackers to forge administrative sessions that can persist even after patching, and in physical deployments, could compromise security cameras and door controls.

Ubiquiti addressed this issue in Security Advisory Bulletin SAB-013, which covers five vulnerabilities across the UniFi OS device family that chain together to enable unauthenticated remote code execution. The most critical of these are an improper access control flaw and a path traversal flaw within the authentication gateway, both rated CVSS 10.0 Critical. Additionally, an improper input validation flaw in the package-update service, also rated CVSS 10.0 Critical, completes the chain. Exploitation requires only access to the web management interface, which commonly listens on TCP port 443, making the vulnerability reachable from the internet if not properly secured.

The attack unfolds in three distinct stages. The first stage bypasses the authentication gateway by exploiting a divergence in how URIs are handled. Nginx uses a normalized URI for routing, while the authentication check operates on the raw, percent-encoded X-Original-URI header. A specially crafted request can present a public-exempt prefix in its raw form while resolving to an internal route after normalization, thus bypassing authentication.

The second stage involves command injection within the package-update route of the shared identity and update backend. The handler constructs a command string by interpolating a caller-supplied package name directly into a sudo command. Without proper validation, shell metacharacters in the package name are interpreted, allowing arbitrary command injection. This injected command executes as the ucs-update service account.

The final stage escalates privileges to root. The ucs-update service account has passwordless sudo privileges for specific commands, including /usr/bin/dpkg. By exploiting this, researchers were able to install a .deb package whose post-install script read the /etc/shadow file, confirming full root execution. Ubiquiti has since patched these vulnerabilities in UniFi OS Server version 3.2.12.

The patches include an Nginx URI normalization guard to close the gateway bypass, a package-name allowlist and validation in the package-update backend to prevent injection, and a reduction in the ucs-update service's passwordless sudo entitlements. Organizations are strongly urged to update to UniFi OS Server 3.2.12 or later immediately. Beyond patching, it is recommended to rotate the JWT signing key, force-log out all sessions, and reset database credentials. Restricting external access to the web interface and limiting it to a trusted management network is also a crucial mitigation step.