An unpatched command injection vulnerability could allow hackers to take over enterprise networking products from Ubiquiti Networks.
The vulnerability was discovered by researchers from SEC Consult and allows authenticated users to inject arbitrary commands into the web-based administration interface of affected devices. These commands would be executed on the underlying operating system as root, the highest privileged account.
Because it requires authentication, the vulnerability’s impact is somewhat reduced, but it can still be exploited remotely through cross-site request forgery (CSRF). This is an attack technique that involves forcing a user’s browser to send unauthorized requests to specifically crafted URLs in the background when they visit attacker-controlled websites.