CVE-2023-38034
CRITICALUniFi Access Points and Switches < 6.5.53/6.5.32 - Remote Code Execution via DHCP Client
Title source: llmDescription
A command injection vulnerability in the DHCP Client function of all UniFi Access Points and Switches, excluding the Switch Flex Mini, could allow a Remote Code Execution (RCE). Affected Products: All UniFi Access Points (Version 6.5.53 and earlier) All UniFi Switches (Version 6.5.32 and earlier) -USW Flex Mini excluded. Mitigation: Update UniFi Access Points to Version 6.5.62 or later. Update UniFi Switches to Version 6.5.59 or later.
References (1)
Core 1
Core References
Issue Tracking, Vendor Advisory
https://community.ui.com/releases/Security-Advisory-Bulletin-035-035/91107858-9884-44df-b1c6-63c6499f6e56
Scores
CVSS v3
9.8
EPSS
0.0102
EPSS Percentile
59.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-77
Status
published
Products (2)
ui/unifi_switch_firmware
< 6.5.32
ui/unifi_uap_firmware
< 6.5.53
Published
Aug 10, 2023
Tracked Since
Feb 18, 2026