Ubiquiti UniFi OS: three chained CVSS 10.0 flaws hit CISA KEV (CVE-2026-34908/34909/34910)

CISA added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog on June 23. All three score CVSS 10.0, all three are exploited in the wild, and the BOD 26-04 federal patching deadline — three calendar days — expired on June 26. If you operate UniFi OS and missed that window, treat any unpatched device as already compromised until proven otherwise.

The bugs ship together in Ubiquiti Security Advisory Bulletin 064 and chain into an unauthenticated remote takeover of the underlying host.

The three CVEs

• CVE-2026-34908 — improper access control (CWE-284). An unauthenticated, network-adjacent attacker bypasses authorization on the UniFi OS management surface. CVSS scope is changed, which is what pushes it to 10.0 — the impact extends past the vulnerable component.
• CVE-2026-34909 — path traversal (CWE-22). Allows arbitrary file read and write on the underlying system, including configuration files and SSH key material.
• CVE-2026-34910 — improper input validation (CWE-20), exploited as OS command injection. Lets the attacker run arbitrary shell commands on the host.

Chain them: bypass auth, write a key or modify a script via the file primitive, then trigger command execution. That is exactly the unauthenticated root chain Bishop Fox detailed in Popping Root on UniFi OS Server.

Affected versions and fixes

Per Bulletin 064:

• UniFi OS Server — patched in 5.0.8 or later.
• UniFi OS-based appliances — UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber — patched in 5.1.12 or later.

There is no configuration mitigation. The fix is the firmware update.

Exploitation status

CISA's June 23 KEV addition is itself the exploitation confirmation — entries only land there when the agency has evidence of in-the-wild abuse. The 3-day BOD 26-04 deadline (June 26) is the shortest CISA hands out; the agency reserves it for chains with confirmed unauthenticated RCE on internet-facing kit. No public PoC has been released by Ubiquiti or by Bishop Fox, but the technical write-up of the chain leaves enough detail for a competent operator to reproduce it.

Action checklist

1. Inventory. Pull the firmware version of every UniFi OS Server instance and every UDM/UNVR/UCG appliance you operate. If any are below the fixed versions above, they are exposed.
2. Patch now, today. Both the server and the appliances ship auto-update toggles — confirm they are enabled and the device actually pulled the build. Reboot to confirm.
3. Take the management UI off the public internet. If the controller or appliance UI is reachable from WAN, scope it to a VPN or management VLAN. This is the standing Ubiquiti hardening guidance and it removes the unauthenticated network-adjacent precondition the chain needs.
4. Hunt for compromise on anything that was internet-exposed and unpatched. Look for unexpected admin accounts, new SSH keys in /root/.ssh/authorized_keys on the appliance shell, modified system.cfg, outbound connections from the controller to non-Ubiquiti hosts, and any process running under non-default UIDs.
5. Rotate. Local admin passwords, any cloud-linked Ubiquiti accounts, and the Site-to-Site VPN pre-shared keys the controller distributed. Treat the chain as a credential-leak event for everything the controller touched.

Pattern context

Three CVSS 10.0 unauthenticated RCEs in a single vendor bulletin is rare and worth flagging. It says the vulnerable surface was layered — auth, file path handling, and shell escaping all failed at the same point, which is what makes a chain so reliable. It also fits the broader pattern of network-management gear becoming the most-exploited class of edge device this year: SolarWinds Serv-U, Cisco SD-WAN Manager, Ivanti Sentry, Lantronix EDS5000 and now UniFi OS have all hit the KEV catalog in the last 30 days. Defenders running any of these on the perimeter should assume credential-stealing reconnaissance against the management plane is now the default behaviour, not the exception.