Advisory March 28, 2024

UniFi Network Application Vulnerability with CVE-2024-27981

Summary:

A Command Injection vulnerability with CVE-2024-27981 has been discovered in a Self-Hosted UniFi Network Server (Linux) with UniFi Network Application. The vulnerability has a Critical CVSS Base Score of 9.1 out of 10.

Description:

The identified vulnerability permits a malicious actor possessing UniFi Network Application Administrator credentials to elevate privileges to root level on the host device. With root-level control, the attacker attains complete administrative authority over the device, enabling various detrimental actions, including:
•     Theft of Sensitive Data: Accessing confidential information stored on the system.
•     Installation of Malware: Introducing malicious software to compromise the integrity of the system.
•     Disruption of Critical Network Operations: Causing disruptions by altering configurations or disabling critical services.

Affected Versions:

CVE-2024-27981 impacts all versions of the UniFi Network Application from and preceding Version 8.0.28.

Recommendations:

To address this critical vulnerability, we kindly request that you update the UniFi Network Application to Versions 8.1.113 or later, which Ubiquiti Networks has already released.

This update is crucial in mitigating potential risks, preventing potential exploitation and ensuring the integrity and security of your network infrastructure.

References: