• Category: Security
  • Status: confirmed
  • Sources: Ubiquiti Security Bulletin 064, CISA KEV catalog, exploit-chain analysis, report
  • Summary: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection) each carry CVSS 10.0 and affect UniFi OS Server. Researchers chained the three into unauthenticated remote code execution as root. Ubiquiti patched all three on 2026-05-21 in Bulletin 064. CISA added them to the Known Exploited Vulnerabilities catalog on 2026-06-23 (catalog version 2026.06.23, count 1627), citing confirmed active exploitation of CVE-2026-34910.
  • Why it matters: UniFi OS runs widely deployed gateways and network controllers, so an unauthenticated root chain on internet-reachable instances is directly exploitable.
  • Follow-up: Track exploitation scope, internet-exposure counts, and patch adoption for UniFi OS Server.

Send feedback on this story