Maximum-severity UniFi OS vulnerabilities enable full network takeover

Threat summary

On May 22, Ubiquiti released security updates addressing multiple vulnerabilities in its UniFi Operating System (UniFi OS), including three that carry a maximum Common Vulnerability Scoring System (CVSS) score of 10.0.

The vulnerabilities affect UniFi OS, a Linux-based operating system that runs on UniFi consoles and cloud gateways and provides centralized management of networking, security, and applications such as UniFi Network, Protect, Access, Talk, and Connect.

These platforms sit in the management plane of enterprise and multi-site environments, where compromise can expose device configuration, network topology, and administrative access.

The three maximum-severity vulnerabilities are exploitable remotely without privileges, and require no authentication or user interaction:

• CVE-2026-34908 is an improper access control flaw that enables a threat actor to make unauthorized changes to the system.
• CVE-2026-34909 is a path traversal vulnerability that allows access to underlying files, which can be leveraged to reach system accounts.
• CVE-2026-34910 is an improper input validation issue that enables command injection over the network, allowing an adversary to execute arbitrary commands with full system privileges and fully compromise the device.

The vendor also addressed additional vulnerabilities, including:

• CVE-2026-33000, a command injection flaw rated 9.1 (critical)

• CVE-2026-34911, an information disclosure issue.

These vulnerabilities affect UniFi OS deployments across multiple hardware platforms, including UniFi Cloud Gateways, Dream Machine appliances, Network Video Recorders, and UniFi OS Server software. If a UniFi OS device is reachable over a network and not adequately isolated, a threat actor can connect to it and exploit the vulnerabilities directly without authentication.

Researchers estimate that nearly 100,000 UniFi OS endpoints are accessible online, creating a large attack surface.

Ubiquiti provided patched versions across affected platforms, including updates to UniFi OS Server version 5.0.8 and later, alongside firmware updates for supported hardware lines. As of May 22, there is no confirmation of active exploitation in the wild and no public proof-of-concept code disclosed.

Analysis

The management role of these systems means compromise provides control over network configurations, connected devices, and security services, enabling lateral movement across internal environments and visibility into sensitive traffic.

Environments where management interfaces are exposed externally or lack network segmentation present the highest risk, as exploitation can be performed remotely by an unauthenticated threat actor and result in full compromise of management infrastructure. In environments where the interface is not externally exposed but remains reachable internally, a threat actor with an existing foothold can access it laterally.

Successful exploitation can allow a threat actor to execute commands, read and modify system files, alter configurations, and disrupt services. In a worst‑case scenario, compromise of the UniFi controller or console provides persistent administrative access to the network, enables manipulation of segmentation controls, and may allow affected devices to be incorporated into botnets or proxy infrastructure, consistent with historical targeting of Ubiquiti devices by both cybercriminal and state-aligned groups.

Recommended actions include prioritizing patch deployment across all UniFi OS instances, reducing exposure of management interfaces to the internet, and limiting network reachability to trusted administrative segments.

Restricting administrative access, reviewing account permissions, and monitoring for unexpected configuration changes or command execution activity can reduce the risk associated with potential exploitation attempts.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up