Multiple Critical Vulnerabilities in Ubiquiti UniFi OS

Ubiquiti has released security updates to address multiple critical vulnerabilities in UniFi OS, a system designed for managing IT infrastructure including networking, security, and other services. These vulnerabilities, disclosed in May 2026, affect a wide range of UniFi OS products. Exploitation of these vulnerabilities could allow remote attackers to make unauthorized system changes, access sensitive files, disclose information, or execute arbitrary commands on vulnerable systems. Given the central role of UniFi OS devices in managing networks, successful exploitation could lead to significant compromise, including lateral movement to other systems. The affected products include UCG-Industrial, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber, UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise, UniFi OS Server, UNVR-G2, UNVR-G2-Pro, UDM-Beast, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, and Express.

Attack Chain

1. Attacker identifies a vulnerable UniFi OS device accessible on the network (e.g., CVE-2026-34908, CVE-2026-34909, CVE-2026-34910).
2. The attacker exploits an Improper Access Control vulnerability (CVE-2026-34908) to bypass authentication or authorization mechanisms.
3. Alternatively, the attacker leverages a Path Traversal vulnerability (CVE-2026-34909) to read sensitive files on the file system.
4. The attacker uses the Path Traversal vulnerability to access files containing credentials or configuration data to further compromise the system.
5. Or, the attacker exploits an Improper Input Validation vulnerability (CVE-2026-34910 or CVE-2026-33000) to inject arbitrary commands into the system.
6. The attacker executes commands to gain a shell on the UniFi OS device.
7. The attacker establishes persistence on the compromised UniFi OS device.
8. The attacker uses the compromised device as a pivot point to move laterally within the network and compromise other systems.

Impact

Successful exploitation of these vulnerabilities can lead to full compromise of UniFi OS devices. Since these devices are often used to manage critical network infrastructure, a successful attack could allow an attacker to gain control of the entire network, leading to data theft, service disruption, and other malicious activities. The CCB has assessed these vulnerabilities as critical, given the high CVSS scores and the potential impact on confidentiality, integrity, and availability of targeted devices.

Recommendation

• Immediately patch Ubiquiti UniFi OS devices to the latest version to address CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, and CVE-2026-33000.
• Enable network monitoring to detect suspicious activity related to exploitation attempts, ensuring a swift response in case of an intrusion.
• Implement the Sigma rule “Detect UniFi OS Path Traversal Attempt” to identify potential exploitation of CVE-2026-34909 via web server logs.
• Deploy the Sigma rule “Detect UniFi OS Command Injection Attempt” to identify potential exploitation of CVE-2026-34910 and CVE-2026-33000 via web server logs.