Critical Attack Chain in UniFi OS
Three Actively Exploited CVSS-10.0 Vulnerabilities in Ubiquiti UniFi OS
Three vulnerabilities rated CVSS 10.0 in Ubiquiti’s UniFi OS have been chained together, allowing for complete takeover without authentication. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has classified these vulnerabilities as actively exploited and urges immediate patching of affected devices.
Understanding the Vulnerabilities
The WLAN hardware provider Ubiquiti has released fixes for several vulnerabilities in its Linux-based management system, UniFi OS, through Security Advisory Bulletin 064. Three of these vulnerabilities have been rated with the highest score of 10.0 by HackerOne. On June 23, 2026, the CISA added all three identifiers to its catalog of known exploited vulnerabilities, mandating federal agencies to rectify these issues by June 26, 2026.
The Attack Chain Explained
Each vulnerability contributes uniquely to the chain of exploitation:
- CVE-2026-34908: This describes a flawed access control (CWE-284) that allows unauthorized changes to the system by an attacker with network access.
- CVE-2026-34909: A Path Traversal vulnerability (CWE-22) that enables attackers to read and manipulate files from the underlying system, potentially gaining access to system accounts.
- CVE-2026-34910: This flaw involves inadequate input validation (CWE-20), leading to command injection vulnerabilities.
These vulnerabilities share the same vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. This means the attack can easily be executed over the network, providing full loss of confidentiality, integrity, and availability without requiring user interaction or authentication.
Pathway to Exploitation
Research from Bishop Fox leads the initial point of access back to the authentication check performed by the front-facing Nginx. The gateway treats requests with raw URIs that begin with a publicly declared prefix as non-authenticated. Consequently, Nginx normalizes the path for backend forwarding, resolving percentage encoding and parent directory references. This allows crafted requests to reach internal endpoints that normally require authentication, facilitating command execution with root privileges on vulnerable versions of UniFi OS Server.
CISA’s Urgent Recommendation
The inclusion in the Known Exploited Vulnerabilities (KEV) catalog substantiates evidence of field exploitation. While no confirmation exists linking the vulnerabilities to ransomware operations, it is advisable for administrators to urgently upgrade their UniFi OS version and restrict access to management interfaces to trusted networks. Monitoring for newly created administrator accounts and unexpected configuration changes since May 22, 2026, along with cross-referencing critical system files against a known baseline, is also recommended.
Version Fixes by Device Class
Ubiquiti has addressed these vulnerabilities in UniFi OS Server beginning with version 5.0.8. The solution extends to various gateway and console models, including UDM, UDM-Pro, UDM-SE, and more, with firmware updates starting from 5.1.12. The UDM Beast is protected starting from 5.1.11, while UNAS models receive fixes from 5.1.10 onwards. For UniFi Express, the remedy for the Path Traversal vulnerability is available from version 4.0.14.
