CVE-2023-38034

moderate-risk
Published 2023-08-10

A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.

Do I need to act?

~
2.7% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Unifi Uap Firmware
Unifi Switch Firmware

Affected Vendors

Ui

References (2)

Issue Tracking https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-98...
Issue Tracking https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-98...
45
/ 100
moderate-risk
Severity 32/34 · Critical
Exploitability 6/34 · Minimal
Exposure 7/34 · Low