threat-wire
Three Chainable Ubiquiti UniFi Flaws Give Attackers Full Network Control
Three maximum-severity flaws in Ubiquiti's UniFi OS, all now on the CISA Known Exploited Vulnerabilities list, can be chained by unauthenticated attackers to gain full remote code execution. Patches were available in May; CISA is now ordering federal agencies to apply them within three days, confirming active exploitation is underway.
By SecureBusinessHub Editorial, International cybersecurity desk — · 5 min read
If your office runs Ubiquiti UniFi networking gear, three actively exploited vulnerabilities have just moved onto CISA's Known Exploited Vulnerabilities list. All three were assigned maximum severity scores. Bishop Fox researchers demonstrated that they chain together into a single unauthenticated attack that hands an outsider full remote control of the UniFi OS controller, the central management system for UniFi networks. CISA is now requiring US federal agencies to patch within three days under Binding Operational Directive 26-04. CISA adds a CVE to that list only when exploitation in the wild is confirmed.
What the three flaws do
CVE-2026-34908 is an access control bypass. An attacker can reach restricted API endpoints on the controller without logging in. CVE-2026-34909 is a directory traversal flaw that exposes configuration files and stored credentials outside the intended file system boundaries. CVE-2026-34910 is an OS command injection bug that lets the attacker run arbitrary shell commands with the privileges of the UniFi process. Each flaw is exploitable independently, but chained in that order, they take an outside attacker with no credentials to root-level code execution in one shot.
Ubiquiti's UniFi OS powers the Dream Machine Pro, Dream Router, Cloud Gateway Ultra, and similar controller appliances. These are the devices small offices, retail premises, dental practices, and hotels buy to get a managed network without dedicated IT staff. If your network closet has a Ubiquiti unit running UniFi OS, it is worth confirming the firmware version before assuming you are safe.
Check whether you are exposed
- In the UniFi Network application, go to Settings > System > Updates. The patched firmware was released in May 2026. If your controller is running an older version and has not updated automatically, it is vulnerable.
- Check whether your UniFi controller is internet-facing. Log into your router's admin panel and review port forwarding rules, or run a port scan from outside your network. The management port should not be reachable from the internet; admin access should only come through a VPN or the internal LAN.
- In Settings > Admins within the UniFi app, review the full list of administrator accounts. CVE-2026-34908 allows unauthenticated API access, which means a compromised controller may have had rogue admin accounts added without your knowledge.
- Check the UniFi Network notification log for any unexpected firmware updates, configuration changes, or new devices adopted in the past two to three weeks.
- If you manage your network through a Ubiquiti cloud account at ui.com, review the account's recent sign-in activity and connected devices under Account > Security for sessions you do not recognise.
Patch now and close the exposure
Apply the May 2026 firmware update through the UniFi Network application immediately if you have not done so already. Ubiquiti's auto-update feature handles this for most devices, but any controller that was offline or had auto-update disabled is still exposed. Bishop Fox released a free detection script on GitHub that checks whether the three vulnerabilities are present on a given host, which is useful if you need to triage a fleet before patches are applied.
Alongside the patch, move your controller off any public IP address. Network management interfaces have no business sitting on the open internet. Route all admin access through a VPN or restrict it to the internal network segment only. CISA's advisory confirms active exploitation, meaning attackers are already scanning for unpatched devices.