Ubiquiti has launched a safety replace that patches three most severity vulnerabilities in UniFi OS that may be exploited by an unprivileged distant attacker.
UniFi OS is a unified working system that powers the UniFi console and helps you handle your IT infrastructure, together with networking, safety, and different providers, in addition to UniFi purposes similar to UniFi Community, UniFi Shield, UniFi Entry, UniFi Discuss, and UniFi Join.
The primary flaw (CVE-2026-34908) permits an attacker to make unauthorized modifications to a focused system by exploiting an improper entry management vulnerability in UniFi OS. In the meantime, the second flaw (CVE-2026-34909) permits a path traversal vulnerability to be exploited to entry recordsdata on the underlying system, which will be manipulated to realize entry to the underlying account.
The third highest severity safety concern (CVE-2026-34910) permits a malicious attacker to launch command injection assaults after gaining community entry by exploiting an improper enter validation vulnerability.
On Thursday, Ubiquiti additionally patched a second vital command injection flaw (CVE-2026-33000) and a high-severity info disclosure (CVE-2026-34911). Each of those have an effect on Unifi OS gadgets.
Ubiquiti has not but disclosed whether or not any of the 5 vulnerabilities had been truly exploited earlier than publication, however shared that they are often exploited in low-complexity assaults and had been reported by the corporate’s HackerOne bug bounty program.
Presently, menace intelligence firm Censys tracks roughly 100,000 UniFi OS endpoints uncovered to the web, most of which (roughly 50,000 IP addresses) are situated in the US.
Nevertheless, there may be presently no info on how safe Ubiquiti is from potential assaults concentrating on the vulnerabilities it patched this week.
In March, Ubiquiti patched one other most severity flaw within the UniFi community software (CVE-2026-22557) that would enable an attacker to take over person accounts, in addition to a vulnerability that may very well be exploited for privilege escalation (CVE-2026-22558).
Ubiquiti merchandise have been focused lately by each state-sponsored hacker teams and cybercriminals, with campaigns to take over the merchandise so as to construct botnets that disguise the attackers’ malicious actions.
For instance, in February 2024, the FBI shut down Moobot, a botnet of hacked Ubiquiti Edge OS routers utilized by Russia’s Normal Workers Intelligence Directorate (GRU) to proxy malicious visitors in cyberespionage campaigns concentrating on the US and its allies.
4 years in the past, in April 2022, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) additionally added the Ubiquiti AirOS vital command injection flaw (CVE-2010-5330) to its catalog of actively exploited vulnerabilities and ordered federal companies to safe their gadgets inside three weeks.
Automated penetration testing instruments supply actual worth, however they had been constructed to reply one query: Can an attacker get by your community? They don’t seem to be constructed to check whether or not controls block threats, detection guidelines fireplace, or cloud configurations are preserved.
This information describes six surfaces that you must truly study.
Obtain now
