Skip to main content
CybersecurityVulnerability Management

Ubiquiti Fixes Maximum-Severity UniFi OS Flaws

Network devices on a rack in a server room, highlighting potential vulnerability to exploitation.

Censys is tracking nearly 100,000 Internet‑exposed UniFi OS endpoints — nearly 50,000 of them in the United States — even as Ubiquiti this week patched three maximum‑severity UniFi OS flaws that remote attackers can exploit without privileges.

The vulnerabilities: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910

Ubiquiti disclosed three maximum‑severity vulnerabilities in UniFi OS. CVE‑2026‑34908 is an Improper Access Control weakness that can enable unauthorized changes to targeted systems. CVE‑2026‑34909 is a Path Traversal vulnerability that can be abused to access files on the underlying system and, according to the vendor, could be manipulated to access an underlying account. CVE‑2026‑34910 involves Improper Input Validation and can allow command injection after an attacker gains network access.

All three flaws can be exploited by remote attackers without privileges, according to Ubiquiti’s advisory cited in the original report, and were reported through the company’s HackerOne bug bounty program.

Additional fixes: CVE-2026-33000 and CVE-2026-34911

On Thursday, Ubiquiti also released patches for a second critical command injection vulnerability, CVE‑2026‑33000, and a high‑severity information disclosure issue, CVE‑2026‑34911, both affecting UniFi OS devices. The company has not disclosed whether any of the five vulnerabilities were exploited in the wild prior to disclosure.

Attack surface and exploitability

The vendor reported that the newly patched flaws can be exploited in low‑complexity attacks. At the same time, third‑party measurements show a substantial exposed population: Censys is tracking nearly 100,000 Internet‑facing UniFi OS endpoints, with about half of those addresses in the United States. The report notes there is currently no public information on how many of those exposed endpoints have been secured against the vulnerabilities patched this week.

Historical context: March patches, Moobot takedown, and CISA action

These patches follow a series of high‑severity fixes earlier this year. In March, Ubiquiti patched a maximum‑severity flaw, CVE‑2026‑22557, in the UniFi Network Application that could allow attackers to take over user accounts, and CVE‑2026‑22558, a vulnerability that could be exploited to escalate privileges. The company’s products have been targeted in past campaigns that hijacked devices to build botnets and conceal malicious activity.

The broader operational history cited by the report includes law‑enforcement and government actions tied to exploited Ubiquiti devices: the FBI took down Moobot in February 2024, a botnet of hacked Ubiquiti Edge OS routers that was used by Russia’s Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic. In April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical command injection flaw in Ubiquiti AirOS (CVE‑2010‑5330) to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure their devices within three weeks.

What this means for technologists, policymakers, and affected enterprises

  • Technologists and security teams: The presence of low‑complexity, remote exploitation paths combined with a large population of Internet‑exposed UniFi OS endpoints means teams responsible for UniFi Consoles and UniFi applications (including UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect) will need to verify patching and configuration status. Ubiquiti reported the bugs via HackerOne; the company’s updates are the published mitigations.
  • Policymakers and regulators: The report highlights recurrent high‑severity issues affecting widely deployed networking and management infrastructure and cites prior government action and botnet disruption. Regulators tracking critical‑infrastructure exposures may view the combination of exposed endpoints and historically observed exploitation as a signal for continued monitoring and guidance.
  • Affected enterprises and procurement leaders: Organizations that deploy UniFi OS consoles or related services should inventory Internet‑facing UniFi OS instances and confirm whether Ubiquiti’s updates have been applied, since the vendor has not published data on how many exposed endpoints have already been secured.

Ubiquiti’s advisory frames the technical risk — improper access control, path traversal, and input validation that can lead to unauthorized changes, file access, and command injection — but leaves two practical questions open in the public record: whether any of these five vulnerabilities were exploited before disclosure, and how many of the nearly 100,000 publicly visible UniFi OS endpoints have been updated. Those unanswered points will determine whether this set of patches closes a theoretical risk or a live avenue for attackers to exploit.

https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/