CVE-2026-34908, CVE-2026-34909, CVE-2026-34910: Ubiquiti UniFi OS Triple Vulnerability

nick

CVE-2026-34908, CVE-2026-34909, CVE-2026-34910: Ubiquiti UniFi OS Triple Vulnerability

by

CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 23, 2026. Action due June 26, 2026. BOD 26-04 3-day patch mandate applies.

CVE: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 | CVSS 3.1: 10.0 (CRITICAL) — all three CVEs | CWE: CWE-284 (34908), CWE-22 (34909), CWE-20 (34910) | Vendor: Ubiquiti | Product: UniFi OS

What Is the Vulnerability

Three critical vulnerabilities in Ubiquiti UniFi OS collectively enable a complete device takeover chain with no prior authentication required. The flaws affect every UniFi OS-powered device—Cloud Gateways, Network Controllers, Protect NVRs, Access Hubs, and Talk appliances—placing entire UniFi-based network infrastructures at immediate risk.

CVE-2026-34910 (CVSS 10.0, CWE-20): Improper input validation allows a malicious network-adjacent actor to inject and execute arbitrary operating system commands on the underlying UniFi OS host. This is the crown jewel of the chain, delivering full command execution.

CVE-2026-34909 (CVSS 10.0, CWE-22): A path traversal vulnerability permits unauthorized reading and writing of files on the underlying system. Attackers can manipulate configuration files, exfiltrate sensitive data, and—critically—access a shell on the underlying OS.

CVE-2026-34908 (CVSS 10.0, CWE-284): An improper access control flaw allows unauthorized changes to the system without authentication. This is the initial entry point that bypasses all access controls, enabling the attacker to then leverage the path traversal and command injection.

Chained together, these three vulnerabilities constitute a worst-case scenario: bypass access controls, read and write arbitrary files, then execute arbitrary OS commands. The attack vector is network-adjacent, meaning any attacker on the same network segment—a compromised IoT device, a malicious insider, or a guest Wi-Fi user—can exploit these flaws without credentials.

Versions Affected

  • All UniFi OS versions prior to the patched firmware released in Ubiquiti Security Advisory Bulletin 064
  • UniFi Cloud Gateways (all models)
  • UniFi Network Controllers
  • UniFi Protect NVRs
  • UniFi Access Hubs
  • UniFi Talk appliances

Exploited?

YES — Actively exploited in the wild. CISA added all three CVEs to its Known Exploited Vulnerabilities (KEV) Catalog on June 23, 2026, confirming active exploitation. The network-adjacent attack vector means any attacker with presence on the same network segment can leverage this chain without authentication, making UniFi deployments across enterprise, government, and MSP environments high-value targets. Ubiquiti devices are widely deployed at the network edge, and a compromised UniFi OS device grants an attacker a privileged foothold for lateral movement, traffic interception, and persistent access.

Fix

Ubiquiti has released patched firmware via Security Advisory Bulletin 064. Organizations must upgrade all UniFi OS devices immediately—CISA mandates action by June 26, 2026, under BOD 26-04. The advisory addresses all three CVEs in a single firmware update.

  • Apply the firmware update from Ubiquiti Security Advisory Bulletin 064 on all UniFi OS devices
  • Verify firmware version post-upgrade to confirm the patch took effect
  • If immediate patching is not feasible, segment UniFi OS management interfaces onto an isolated VLAN with strict access controls
  • Audit UniFi OS device logs for signs of unauthorized configuration changes or unexpected processes

Recommendations

  • Patch all UniFi OS devices to the firmware version specified in Ubiquiti Security Advisory Bulletin 064 immediately—no later than June 26, 2026 (CISA 3-day mandate)
  • Isolate UniFi management interfaces on a dedicated, access-controlled management VLAN
  • Disable UniFi OS management access from guest and untrusted network segments
  • Monitor UniFi OS syslog and audit trails for suspicious command execution or unexpected file modifications
  • Conduct a compromise assessment: review device configurations, SSH authorized keys, and running processes for indicators of exploitation
  • For MSPs and multi-tenant deployments, verify that client UniFi devices are isolated and patched promptly
  • Subscribe to Ubiquiti’s security advisory notifications for future bulletins

References

This is a CISA Known Exploited Vulnerability (KEV) advisory. KEV status is indicated in the title, opening callout, and Exploited section per editorial policy. Part of the Vulnerability Intelligence series on threat-modeling.com.

Threat Modeling and Security by Design

Threat modeling and Security by Design methods, tools, and approaches to help secure your business and IT landscape.

Terms of Service | Privacy Policy

AI chatbot & help center by 99helpers.com

Threat Modeling
Threat Modeling Tool
Threat Modeling Tool Explainer
What is Threat Modeling?
STRIDE Threat Modeling
PASTA Threat Modeling
Automated Threat Modeling
Threat Modeling Framework
CISO Security Mind Map 2026
CIS Controls
OWASP Top 10

© Threat-Modeling.com

Connect with me

Enter your Email address if you want to connect and receive threat modeling updates (I won’t spam you or share your contact details).

AND / OR

Try my threat modeling tool, it's completely free to use.

Thanks for signing up!