In a recent advisory sent out by SEC Consult’s Vulnerability Lab, SEC Consult advised that a security flaw had been confirmed in at least four Ubiquiti Networks devices with as many as an additional 38 devices possibly vulnerable to the security issue.
According to the advisory, a command injection vulnerability exists in the “pingtest_action.cgi” script in the devices. If an attacker is able to lure a user to click on a special link or go to a malicious website, it would allow an attacker to gain control of the networking equipment. This issue is largely attributed to a decade old version of PHP, PHP/FI 2.0.1, used by the devices.
In response, Ubiquiti Networks released a series of security patches for their AirOS, AirGateway, TOUGHSwitch, and airFiber based devices. Those who own an AirOS based device or an associated device are encouraged to apply the updates as soon as possible.
Firmware updates are available via the Ubiquiti Networks page here.