Skip to content

Ubiquiti Patches Three Critical UniFi OS Vulnerabilities

The Bottom Line: Ubiquiti patches three critical vulnerabilities in UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) that enable unrestricted modifications, file access, and command injection.

Ubiquiti has released security updates for three critical vulnerabilities in UniFi OS that can be exploited remotely without authentication by attackers. Approximately 100,000 UniFi OS devices worldwide are exposed on the internet.

Ubiquiti released updates on Thursday for a total of five vulnerabilities in UniFi OS. UniFi OS is a unified operating system for UniFi Consoles and manages IT infrastructure such as networks, security services, and the applications UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.

The three critical vulnerabilities are: CVE-2026-34908 (insufficient access control enabling unrestricted system modifications), CVE-2026-34909 (path traversal vulnerability enabling file and account data disclosure), and CVE-2026-34910 (insufficient input validation enabling command injection after network access). Additionally, Ubiquiti patches CVE-2026-33000 (critical command injection vulnerability) and CVE-2026-34911 (information disclosure). All vulnerabilities are exploitable with low complexity and were reported via the HackerOne bug bounty program.

The threat intelligence company Censys is currently tracking nearly 100,000 internet-accessible UniFi OS endpoints, approximately 50,000 of which are located in the United States. It remains unclear how many of these devices have already been protected by the current updates. Ubiquiti has not yet confirmed whether the vulnerabilities were actively exploited prior to disclosure.

Ubiquiti products have been in the focus of state-sponsored hacker groups and cybercriminals for years. In February 2024, the FBI disabled the “Moobot” botnet, which used compromised Ubiquiti EdgeOS routers from Russian intelligence agency GRU to obfuscate cyberespionage attacks against the United States. In April 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) classified a critical command injection vulnerability in Ubiquiti AirOS (CVE-2010-5330) as actively exploited and requested federal agencies to secure their devices within three weeks. In March 2026, Ubiquiti had already patched two additional critical vulnerabilities in UniFi Network (CVE-2026-22557, CVE-2026-22558).


Source: ainews-dev.lumi-systems.io · Published May 23, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification via Lumi News Pipeline v1.5.2.

Share on: