CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2010-5330

CVSS 9.8v3.1pub. 2019-06-11upd. 2025-11-05

On certain Ubiquiti devices, Command Injection exists via a GET request to stainfo.cgi (aka Show AP info) because the ifname variable is not sanitized, as demonstrated by shell metacharacters. The fixed version is v4.0.1 for 802.11 ISP products, v5.3.5 for AirMax ISP products, and v5.4.5 for AirSync firmware. For example, Nanostation5 (Air OS) is affected.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Ui Airos

    OS
    Ui
    < 4.0.14.0.2 – 5.3.5 (bez)5.3.6 – 5.4.5 (bez)

CISA KEV — detailsi

Vendori
Ubiquiti
Producti
AirOS
Added to KEVi
April 15, 2022
Remediation deadline (US Federal)i
May 6, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Certain Ubiquiti devices contain a command injection vulnerability via a GET request to stainfo.cgi.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 6 maja 2022
CWE
References

Related vulnerabilities

CVE-2020-8171CRITICAL9.8ten sam produkt

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...

CVE-2020-8168HIGH8.8ten sam produkt

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...

CVE-2017-0938HIGH7.5ten sam produkt

Denial of Service attack in airMAX < 8.3.2 , airMAX < 6.0.7 and EdgeMAX < 1.9.7 allow attackers to use the Dis...

CVE-2020-8170MEDIUM6.1ten sam produkt

We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vuln...

CVE-2026-34908CRITICAL10.0⚠ KEVPL ✓ten sam vendor

Nieprawidłowa kontrola dostępu w UniFi OS — nieautoryzowane zmiany systemowe