UniFi OS Critical Command Injection (CVE-2026-33000)
A critical Improper Input Validation vulnerability, tracked as CVE-2026-33000, has been identified in UniFi OS devices. The National Vulnerability Database reports that this flaw, rated 9.1 CVSS (CRITICAL), allows a highly privileged malicious actor with network access to execute a Command Injection.
This isn’t a theoretical concern. Command injection, especially with high privileges, means an attacker can run arbitrary commands on the underlying system. This level of access typically leads to complete system compromise, data exfiltration, or further lateral movement within the network.
Defenders need to understand the attacker’s calculus here: gain network access, escalate to high privileges (which often happens through misconfigurations or other vulnerabilities), then use this flaw for full control. The ‘network access’ and ‘high privileges’ prerequisites might seem like barriers, but in complex enterprise environments, these are often attainable through various means, making this a significant threat vector.
What This Means For You
- If your organization uses UniFi OS devices, you need to be auditing your network access controls and privilege management immediately. This isn't just about patching when a fix drops; it's about minimizing the attack surface that allows an attacker to even reach the prerequisites for exploiting CVE-2026-33000. Review all high-privilege accounts and ensure strict network segmentation.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
UniFi OS Command Injection via Specific URI Parameter - CVE-2026-33000
title: UniFi OS Command Injection via Specific URI Parameter - CVE-2026-33000
id: scw-2026-05-22-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-33000 by targeting the '/api/v1/set-setting' endpoint with specific parameters that are known to be vulnerable to command injection in UniFi OS. This rule looks for POST requests to this URI with parameters like 'value' or 'enable' which could be manipulated to inject commands.
author: SCW Feed Engine (AI-generated)
date: 2026-05-22
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-33000/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/api/v1/set-setting'
cs-uri-query|contains:
- 'value='
- 'enable='
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-33000 | Command Injection | UniFi OS devices |
| CVE-2026-33000 | Improper Input Validation | Command Injection via Improper Input Validation |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 22, 2026 at 05:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Ditty Plugin: Authorization Bypass Exposes Non-Public Content
CVE-2026-9011 — The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and...
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form &
CVE-2026-8692 — The Vedrixa Forms – User Registration Form, Signup Form & Drag & Drop Form Builder plugin for WordPress is vulnerable to authorization bypass...
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is
CVE-2026-8684 — The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due...