UniFi OS CVE-2026-34910: Patch Root RCE Chain Now

CISA has moved three Ubiquiti UniFi OS flaws into its Known Exploited Vulnerabilities catalog, turning an already urgent patch into a practical incident-response task for anyone running exposed UniFi OS consoles. The bugs are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, and CISA added them on June 23, 2026 with a June 26 remediation due date for covered organizations.¹

The short version: this is not just a routine router firmware note. Ubiquiti’s advisory describes a chain of access-control, path-traversal, and command-injection issues across UniFi OS devices, while Bishop Fox says it validated the UniFi OS Server chain end to end as unauthenticated remote code execution with root privileges when the management interface is reachable.²³

What UniFi OS owners should check now

CVE-2026-34908 is the access-control piece, CVE-2026-34909 is the path-traversal piece, and CVE-2026-34910 is the command-injection flaw. NVD lists HackerOne CNA CVSS 3.1 scores of 10.0 for the three records, with network attack vector, low complexity, no privileges, and no user interaction.⁴⁵⁶ Bishop Fox’s analysis says the chain abuses the authentication gateway to reach an internal package-update endpoint and then execute commands as root on vulnerable UniFi OS Server builds.³

The most important affected software line is UniFi OS Server before 5.0.8. The CVE records also list many UniFi appliances as affected until their fixed branches, including UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR lines, Cloud Key lines, and Cloud Gateway models before 5.1.12; UDM-Beast before 5.1.11; UNAS lines before 5.1.10; and UniFi Express before 4.0.14 for CVE-2026-34909.⁷

Start with exposure. If the UniFi OS web interface is reachable from the internet, a guest VLAN, an untrusted office network, or a contractor VPN, treat that path as meaningful. Bishop Fox notes that UniFi OS Server commonly listens on TCP 11443 and that the chain is reachable wherever the web interface is reachable.³ That same management-plane lesson shows up in other edge-device incidents we covered, from AryStinger abusing legacy routers as proxies to FortiBleed forcing VPN credential rotation.

Patch first, but do not stop there. A root-level compromise of a network controller can expose stored secrets, change firewall or VPN settings, create or alter admin sessions, enable SSH, and affect managed devices. For UniFi OS Server, move to 5.0.8 or later. For UniFi hardware, apply the vendor-fixed release for the exact model rather than assuming one version number covers every product family.²

After the update, review whether the console may have been exposed before patching. Check for unexpected administrator accounts, newly enabled SSH, changed root or local credentials, unexplained firewall/NAT/VPN changes, suspicious package-update or management API activity, and logins from unfamiliar IP ranges. If there are signs of compromise, rotate UniFi local credentials, API tokens, VPN credentials, and any secrets stored in or reachable from the controller. Bishop Fox specifically warns that patching does not evict an attacker who already got in, and that confirmed compromise should push teams toward rebuilding from known-good media rather than only rotating a key.³

For quick validation, Bishop Fox published a detector that aims to confirm vulnerable, patched, unaffected, or inconclusive states without executing a command or changing target state.⁸ Use that kind of check carefully against owned systems only, and remember that a negative result is only useful if you actually reached the same management front end that attackers could reach. Network isolation is still the safer control: management interfaces belong on trusted admin networks, not broad user segments.

This is why the CISA KEV addition matters. The original fixes landed in May, but KEV status means defenders should assume real-world exploitation pressure rather than treating the issue as theoretical. For organizations with mixed gateway fleets, prioritize internet-exposed or broadly reachable UniFi OS consoles first, then work inward through branch offices and lab networks. The same triage logic applies to other exposed appliance bugs such as C0XMO’s DD-WRT router exploitation: inventory, isolate, patch, then verify that no persistence or credential theft remains.

References

1. Cybersecurity and Infrastructure Security Agency. “Known Exploited Vulnerabilities Catalog,” catalog version 2026.06.23, released June 23, 2026.
2. Ubiquiti. “Security Advisory Bulletin 064,” May 2026.
3. Jon Williams, Bishop Fox. “Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis,” June 5, 2026.
4. National Vulnerability Database. “CVE-2026-34908 Detail.”
5. National Vulnerability Database. “CVE-2026-34909 Detail.”
6. National Vulnerability Database. “CVE-2026-34910 Detail.”
7. CVE Program. “CVE-2026-34910 Record.”
8. Bishop Fox. “CVE-2026-34908-check,” GitHub repository.