Ubiquiti released security patches for five vulnerabilities in UniFi OS on May 22, 2026, including three maximum-severity flaws — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 — that allow unauthenticated remote attackers to modify system settings, access arbitrary files, and execute arbitrary commands on approximately 100,000 internet-exposed endpoints identified by Censys.
Three Maximum-Severity Flaws Across Access Control, Path Traversal, and Command Injection
The three maximum-severity vulnerabilities affect UniFi OS through separate classes of input handling weaknesses. CVE-2026-34908 is an improper access control flaw that enables unauthorized system modifications. CVE-2026-34909 is a path traversal vulnerability that allows access to arbitrary files and potential account compromise. CVE-2026-34910 is a command injection flaw resulting from improper input validation, enabling arbitrary command execution on the host system.
All three can be exploited remotely by unauthenticated attackers and are characterized as low-complexity attacks — no special conditions, credentials, or user interaction are required beyond network access to the vulnerable endpoint. The vulnerabilities were reported to Ubiquiti through its HackerOne bug bounty program.
Two Additional Vulnerabilities: CVE-2026-33000 and CVE-2026-34911
The patch release also addressed CVE-2026-33000, a critical command injection vulnerability, and CVE-2026-34911, a high-severity information disclosure flaw. The presence of multiple independent command injection vulnerabilities in the same patch cycle — CVE-2026-34910 and CVE-2026-33000 — alongside path traversal and access control failures suggests systemic weaknesses in input handling across the UniFi OS codebase rather than isolated bugs.
100,000 Internet-Exposed UniFi OS Endpoints Before Patching
Censys identified approximately 100,000 internet-exposed UniFi OS endpoints at the time of disclosure, with roughly 50,000 located in the United States. Each of those endpoints was potentially vulnerable to all three maximum-severity flaws before the patch was applied.
Ubiquiti’s Historical Targeting and the March 2026 Account Takeover Patch
No active exploitation was confirmed at the time of disclosure. However, Ubiquiti infrastructure has been targeted historically by state-sponsored groups and cybercriminals for botnet development. A 2024 Ubiquiti compromise involved a threat actor accessing infrastructure that hosted customer UniFi devices globally. More recently, Ubiquiti issued a patch in March 2026 addressing account takeover and privilege escalation flaws in UniFi Network Application — indicating sustained security research attention on the Ubiquiti ecosystem during the current year.
UniFi OS powers routers, wireless access points, switches, network cameras, and centralized network management systems deployed across enterprise, campus, retail, and residential environments worldwide. A compromised UniFi OS device provides an attacker with network infrastructure position from which to intercept traffic, deploy backdoors, pivot through segmented networks, or establish persistent botnet nodes. Organizations with internet-exposed UniFi OS devices should verify patch application and consider whether those devices require internet exposure or can be placed behind additional network controls.
