Ubiquiti UniFi OS CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 exploitation
Summary
CISA added three Ubiquiti UniFi OS vulnerabilities to the Known Exploited Vulnerabilities catalog on 2026-06-23: CVE-2026-34908 improper access control, CVE-2026-34909 path traversal, and CVE-2026-34910 command injection. Ubiquiti's bulletin covers the fixed UniFi OS releases, and public honeypot reporting from PwnDefend says CVE-2026-34910 exploitation was observed in the wild in activity consistent with Mirai-style botnet building.
The durable defender lesson is management-plane exposure control: UniFi gateways, consoles, NVRs, storage appliances, and UniFi OS Server should not be reachable from untrusted networks, and patching should be paired with review for unauthorized configuration changes, file access, and command-execution fallout.
Tags
- ops
- operations
- Ubiquiti
- UniFi OS
- CVE-2026-34908
- CVE-2026-34909
- CVE-2026-34910
- active exploitation
- CISA KEV
- edge devices
- management plane
- command injection
- path traversal
- Mirai
- botnet
Why this matters
- CISA says all three issues are actively exploited and set a 2026-06-26 remediation due date for covered federal agencies.
- NVD scores each CVE as CVSS v3.1 10.0, with network attack vector, low complexity, no privileges, no user interaction, changed scope, and high confidentiality / integrity / availability impact.
- The affected product set spans common UniFi control-plane devices: UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR variants, ENVR variants, UCG variants, UniFi OS Server, UNAS variants, Cloud Keys, and related appliances.
- PwnDefend reported Defused honeypot observations of CVE-2026-34910 exploitation and framed the activity as botnet building; treat exposed UniFi OS hosts as possible command-execution compromises, not only as devices needing firmware updates.
Operational characteristics
- CVE-2026-34908: improper access control that can allow a network-accessible malicious actor to make unauthorized system changes.
- CVE-2026-34909: path traversal that can allow network-accessible file access on the underlying system and may be chained toward account access.
- CVE-2026-34910: improper input validation leading to command injection.
- Public exploit context: PwnDefend described traversal/proxying into UniFi OS internal routes and a command-injection sink reached without normal authentication in observed traffic. Do not rely on login telemetry alone to rule out exploitation.
- Fixed versions called out by PwnDefend from Ubiquiti's bulletin:
- UCG-Industrial: 5.1.12 or later.
- UDM / UDM-Pro / UDM-SE / UDM-Pro-Max / EFG / UDW / UDR / UDR7 / Express 7 / UNVR / UNVR-Pro / UNVR-Instant / ENVR / UCG-Ultra / UCG-Max / UCG-Fiber: 5.1.12 or later.
- UDR-5G / ENVR-Core / UCKP / UCK / UCK-Enterprise: 5.1.12 or later.
- UniFi OS Server: 5.0.8 or later.
- UNVR-G2 / UNVR-G2-Pro: 5.1.12 or later.
- UDM-Beast / UNAS-2 / UNAS-4 / UNAS-Pro / UNAS-Pro-4 / UNAS-Pro-8: 5.1.12 or later.
- Attribution: no named actor is established. Keep Mirai/botnet language tied to PwnDefend's honeypot reporting.
Defender heuristics
- Inventory every UniFi OS console, gateway, NVR, storage appliance, Cloud Key, and UniFi OS Server instance; prioritize any interface reachable from the internet, guest networks, contractor networks, or untrusted management VLANs.
- Upgrade affected devices to the relevant fixed UniFi OS version or later. If an appliance cannot be upgraded immediately, remove untrusted network reachability before normal cleanup work.
- Review reverse-proxy, firewall, and controller exposure rules for UniFi OS management routes. Management-plane access should require trusted network placement and strong administrative authentication, not only obscurity or portal login.
- Hunt around the exposure window for:
- unexpected UniFi OS configuration changes, added users, API tokens, SSH keys, backup/export jobs, or changed remote-access settings;
- unusual requests containing encoded traversal markers, proxy route abuse, or package/update parameters in web access logs where available;
- shell-spawn, downloader, BusyBox,
wget,curl,tftp, or architecture-specific binary execution on UniFi OS hosts; - new outbound connections from appliances to unfamiliar VPS, botnet, or scanner infrastructure;
- changes to NVR/storage appliance file trees that could indicate file-read or staging activity.
- Treat a successful CVE-2026-34910 hit as root-level command execution until proven otherwise: preserve logs, capture volatile process/network state if possible, rotate appliance and upstream credentials, and rebuild from trusted firmware when confidence is low.
- After patching, enforce management VLAN ACLs and alert on any future internet exposure of UniFi OS administrative ports.
Related pages
- JDY SOHO / IoT reconnaissance botnet
- AryStinger legacy-router recon proxy network
- Ivanti Sentry CVE-2026-10520 exploitation
Sources
- CISA KEV feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
- CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Ubiquiti Security Advisory Bulletin 064-064: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- NVD CVE-2026-34908: https://nvd.nist.gov/vuln/detail/CVE-2026-34908
- NVD CVE-2026-34909: https://nvd.nist.gov/vuln/detail/CVE-2026-34909
- NVD CVE-2026-34910: https://nvd.nist.gov/vuln/detail/CVE-2026-34910
- PwnDefend honeypot writeup: https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/