An emergency security update addressing five serious vulnerabilities in UniFi OS, three of which carry a perfect CVSS 10.0 Critical score, the highest possible severity rating, enabling unauthenticated remote attackers to seize full control of network management infrastructure.
The flaws span improper access control, path traversal, and command injection, collectively enabling a direct exploitation chain from initial network access to complete device compromise across nearly every UniFi hardware platform.
UniFi OS is Ubiquiti’s enterprise-grade operating system powering its Dream Machine, Cloud Gateway, Network Video Recorder, and UniFi OS Server product lines, widely deployed in enterprises, SMBs, government networks, and home labs globally.
A successful exploit of any of these five vulnerabilities could allow an attacker to manipulate network policies, extract credentials, pivot to managed devices, or fully compromise the infrastructure without requiring any credentials or user interaction.
UniFi OS Critical Vulnerabilities
The most broadly impactful of the three perfect-score flaws, CVE-2026-34908, was discovered by Duc Anh Nguyen (@heckintosh__) and involves an Improper Access Control weakness in UniFi OS.
An unauthenticated remote attacker with only network access can exploit this flaw to make unauthorized changes to the system, requiring no privileges, no user interaction, and no additional complexity. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products include UCG-Industrial (≤5.0.13), UDM/UDM-Pro/UDM-SE/UDM-Pro-Max/EFG/UDW/UDR family (≤5.0.16), UDR-5G/ENVR-Core/UCKP/UCK/UCK-Enterprise (≤5.0.17), UniFi OS Server (≤5.0.6), UNVR-G2/UNVR-G2-Pro (≤5.1.11), and UDM-Beast/UNAS series (≤5.1.8).
CVE-2026-34909, credited to Abdulaziz Almadhi of Catchify Security, is a critical Path Traversal vulnerability that allows an unauthenticated network attacker to access arbitrary files on the underlying operating system.
Those files can be manipulated to access underlying accounts, effectively enabling full account takeover without authentication. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Beyond the standard UniFi OS hardware lineup, this flaw also affects Express (Version 4.0.13 and earlier), which is not impacted by the other maximum-severity vulnerabilities. Administrators running UniFi Express must update firmware to Version 4.0.14 or later to remediate this specific flaw.
Reported by John Carroll, CVE-2026-34910 is an Improper Input Validation flaw enabling unauthenticated remote Command Injection, the most dangerous variant, as it allows an adversary to execute arbitrary OS-level commands with full system privileges.
The attack vector is entirely network-based, requires no user interaction, and carries no complexity barrier. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Field Effect’s analysis confirms that this flaw, combined with the other two CVSS 10.0 vulnerabilities, creates a chain of exploitation from initial network contact to complete device takeover.
A fourth vulnerability, CVE-2026-33000, credited to researcher V3rlust, is a high-privileged Command Injection flaw rated CVSS 9.1 Critical.
Unlike the trio above, this flaw requires the attacker to hold high privileges and network access already before exploitation is possible. It is exclusive to UniFi OS Server (Version 5.0.6 and earlier), and exploits improper input validation to execute arbitrary commands. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
The fifth flaw, CVE-2026-34911, reported by Hakai Security, is a Path Traversal vulnerability rated at CVSS 7.7 (High). An attacker with low-level network privileges can exploit this to access system files containing sensitive information.
While less severe than the other four, it still enables significant lateral reconnaissance within the target environment. CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
| CVE | Type | CVSS Score | Privileges Required |
|---|---|---|---|
| CVE-2026-34908 | Improper Access Control | 10.0 Critical | None |
| CVE-2026-34909 | Path Traversal | 10.0 Critical | None |
| CVE-2026-34910 | Command Injection | 10.0 Critical | None |
| CVE-2026-33000 | Command Injection | 9.1 Critical | High |
| CVE-2026-34911 | Path Traversal (Info Disclosure) | 7.7 High | Low |
As of May 22, 2026, Ubiquiti has confirmed no active exploitation in the wild, and no public proof-of-concept (PoC) code has been disclosed.
However, the unauthenticated, zero-interaction nature of the three CVSS 10.0 flaws means the risk window is extremely narrow, and a PoC release could trigger mass exploitation within hours of publication. Organizations running internet-exposed or insufficiently segmented UniFi OS devices are urged to treat this as a Priority 1 patching event.
Patch Versions
Apply the following minimum firmware versions immediately:
- UCG-Industrial → Version 5.1.12 or later
- UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR family, UCG-Ultra, UCG-Max, UCG-Fiber → Version 5.1.12 or later
- UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise → Version 5.1.12 or later
- UniFi OS Server → Version 5.0.8 or later
- UNVR-G2, UNVR-G2-Pro → Version 5.1.12 or later
- UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8 → Version 5.1.10 or later
- UDM-Beast → Version 5.1.11 or later
- Express → Version 4.0.14 or later (required for CVE-2026-34909 only)
FAQ
Q1: Are these UniFi OS vulnerabilities being actively exploited in the wild?
As of May 22, 2026, Ubiquiti and security researchers have confirmed no evidence of active exploitation or public PoC code.
Q2: Do attackers need authentication to exploit the CVSS 10.0 flaws?
CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 all require no authentication and no user interaction, making them exploitable by any attacker with network-level access.
Q3: Which UniFi OS version fully remediates all five vulnerabilities?
For most hardware, updating to UniFi OS 5.1.12 addresses most flaws; UniFi OS Server users must update to 5.0.8, and Express users need firmware 4.0.14 or later.
Q4: Can the vulnerabilities be chained together for a more severe attack?
Yes, security analysts at Field Effect warn that CVE-2026-34909 (file access), combined with CVE-2026-34910 (command injection), creates a direct path to full system takeover from a single unauthenticated network position.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
