Ubiquiti patches 3 critical UniFi OS vulnerabilities
▼ Summary
– Ubiquiti patched three maximum severity vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) in UniFi OS that allow unprivileged remote attackers to make unauthorized changes, access files, or launch command injection attacks.
– Two additional flaws were fixed: a critical command injection (CVE-2026-33000) and a high-severity information disclosure (CVE-2026-34911).
– Ubiquiti has not disclosed if any of the five vulnerabilities were exploited in the wild, but noted they were reported via its HackerOne bug bounty program and are low-complexity to exploit.
– Censys tracks nearly 100,000 internet-exposed UniFi OS endpoints, with about 50,000 in the United States, but it is unknown how many have been secured.
– Ubiquiti products have been previously targeted by state-backed hackers and cybercriminals, including a 2024 FBI takedown of a GRU-linked botnet using hacked Ubiquiti routers.
Ubiquiti has shipped critical security patches to address three maximum severity vulnerabilities in UniFi OS, all of which can be exploited remotely by unauthenticated attackers. The updates target flaws that could allow complete system compromise without any prior access.
UniFi OS serves as the central operating system for UniFi Consoles, managing everything from networking and security to access control and video surveillance. It also runs key applications like UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.
The first vulnerability, tracked as CVE-2026-34908, stems from an Improper Access Control weakness, enabling attackers to make unauthorized changes to affected systems. The second, CVE-2026-34909, is a Path Traversal flaw that lets threat actors access files on the underlying system and potentially compromise an associated account. The third critical issue, CVE-2026-34910, involves an Improper Input Validation bug that can be weaponized for a command injection attack once network access is obtained.
Beyond these three maximum-severity flaws, Ubiquiti also patched a second critical command injection vulnerability (CVE-2026-33000) and a high-severity information disclosure bug (CVE-2026-34911) on Thursday. All five issues affect UniFi OS devices.
Ubiquiti has not confirmed whether any of these vulnerabilities were actively exploited before disclosure. However, the company noted that they require low-complexity attacks and were reported through its HackerOne bug bounty program.
Security firm Censys reports that nearly 100,000 UniFi OS endpoints remain exposed to the internet, with almost 50,000 IP addresses located in the United States. It remains unclear how many of these devices have been updated against the newly patched flaws.
This is not the first time Ubiquiti has addressed severe security gaps this year. In March, the company fixed another maximum-severity bug (CVE-2026-22557) in the UniFi Network Application that could allow attackers to take over user accounts, alongside a privilege escalation flaw (CVE-2026-22558).
Ubiquiti hardware has been a frequent target for both state-backed hacking groups and cybercriminals. In February 2024, the FBI dismantled the Moobot botnet, which had hijacked Ubiquiti Edge OS routers to proxy malicious traffic for Russia’s GRU in cyberespionage campaigns. Earlier, in April 2022, CISA added a critical command injection vulnerability (CVE-2010-5330) in Ubiquiti AirOS to its list of actively exploited flaws, mandating federal agencies to secure their devices within three weeks.
(Source: BleepingComputer)