Ubiquiti patches three maximum severity UniFi OS flaws

Ubiquiti released security updates to fix three maximum-severity vulnerabilities in UniFi OS, including remote unauthorised changes, path traversal that could expose underlying system files, and a command injection issue that becomes possible after network acc

When UniFi OS devices face the internet, attackers don’t need a foothold—they only need the right weakness.

Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. UniFi OS is the unified operating system that powers UniFi Consoles and helps manage IT infrastructure. including networking. security. and other services. along with UniFi applications such as UniFi Network. UniFi Protect. UniFi Access. UniFi Talk. and UniFi Connect.

The first flaw, CVE-2026-34908, involves improper access control. It allows attackers to make unauthorized changes to targeted systems by exploiting that weakness in UniFi OS.

The second, CVE-2026-34909, is a path traversal issue. By abusing it, a remote attacker could access files on the underlying system, with the vulnerability described as potentially being manipulated to access an underlying account.

The third maximum severity issue, CVE-2026-34910, enables command injection after gaining network access. Ubiquiti tied it to improper input validation in UniFi OS, giving attackers another way to push beyond simple probing.

The timing matters. On Thursday, Ubiquiti also patched a second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure flaw (CVE-2026-34911), both affecting UniFi OS devices.

So far, Ubiquiti has not disclosed whether any of the five vulnerabilities were exploited in the wild before the company announced the updates. What it did share is that the flaws could be leveraged through low-complexity attacks and were reported through its HackerOne bug bounty program.

For defenders, the bigger concern is how many devices can potentially be reached without trying very hard. Threat intelligence firm Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, with nearly 50,000 of the IP addresses located in the United States.

Even with that exposure visible on the internet, there’s no current information on how many of those endpoints have been secured against the vulnerabilities Ubiquiti patched this week.

The problem isn’t new. In March, Ubiquiti patched another maximum-severity flaw, CVE-2026-22557, in the UniFi Network Application that may allow attackers to take over user accounts. It also fixed CVE-2026-22558, a vulnerability that can be exploited to escalate privileges.

Ubiquiti products have also drawn real attention from serious attackers in past years—state-backed groups and cybercriminals. Those campaigns have targeted Ubiquiti devices to hijack them and build botnets that conceal malicious activity.

In February 2024, the FBI took down Moobot, a botnet of hacked Ubiquiti Edge OS routers that Russia’s Main Intelligence Directorate of the General Staff (GRU) used to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies.

And four years earlier, in April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical command injection flaw. CVE-2010-5330. in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure their devices within three weeks.

Taken together, Ubiquiti’s latest patch cycle lands in the same place defenders have been watching: internet-facing systems where a single bug can turn remote access into real control.

Ubiquiti UniFi OS CVE-2026-34908 CVE-2026-34909 CVE-2026-34910 CVE-2026-33000 CVE-2026-34911 cybersecurity command injection path traversal HackerOne Censys