CVE-2019-16889

HIGH

Ubiquiti EdgeMAX Firmware < 2.0.3 - Denial of Service via Beaker Session ID Cookie

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-16889. PoCs published by grampae.

AI-analyzed exploit summary The repository contains a functional Python script that exploits CVE-2019-16889, a resource consumption DoS vulnerability in Ubiquiti EdgeOS/Edgemax v1.10.6. The script uses asyncio to flood the target with unique beaker session IDs, filling up the /var/run/beaker/container_file/ directory and causing system instability.

Description

Ubiquiti EdgeMAX devices before 2.0.3 allow remote attackers to cause a denial of service (disk consumption) because *.cache files in /var/run/beaker/container_file/ are created when providing a valid length payload of 249 characters or fewer to the beaker.session.id cookie in a GET header. The attacker can use a long series of unique session IDs.

Exploits (1)

nomisec WORKING POC

by grampae · poc

https://github.com/grampae/CVE-2019-16889-poc

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2019-16889, a resource consumption DoS vulnerability in Ubiquiti EdgeOS/Edgemax v1.10.6. The script uses asyncio to flood the target with unique beaker session IDs, filling up the /var/run/beaker/container_file/ directory and causing system instability.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Ubiquiti EdgeOS/Edgemax v1.10.6

No auth needed

Prerequisites: Network access to the target device · Python 3.x with aiohttp library

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_misc

https://mjlanders.com/2019/07/28/resource-consumption-dos-on-edgemax-v1-10-6/

Exploit, Issue Tracking, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/406614

Patch, Vendor Advisory x_refsource_misc

https://community.ui.com/releases/New-EdgeRouter-firmware-2-0-3-has-been-released-2-0-3/e8badd28-a112-4269-9fb6-ffe3fc0e1643

Scores

CVSS v3 7.5

EPSS 0.1149

EPSS Percentile 93.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-770

Status published

Products (12)

ui/ep-r6_firmware < 2.0.3

ui/ep-r8_firmware < 2.0.3

ui/er-12_firmware < 2.0.3

ui/er-4_firmware < 2.0.3

ui/er-6p_firmware < 2.0.3

ui/er-8-xg_firmware < 2.0.3

ui/er-8_firmware < 2.0.3

ui/er-x-sfp_firmware < 2.0.3

ui/er-x_firmware < 2.0.3

ui/erlite-3_firmware < 2.0.3

... and 2 more

Published Sep 25, 2019

Tracked Since Feb 18, 2026