Cybersecurity experts have flagged three critical vulnerabilities in Ubiquiti devices as being actively targeted by malicious actors. The United States Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding these flaws, emphasizing their severity and the need for prompt remediation.
The vulnerabilities, identified as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each carry a maximum CVSS score of 10 out of 10, underscoring the potential risk they pose. These security gaps were addressed with patches released by Ubiquiti last month, yet they remain a significant concern due to ongoing exploitation attempts.
Detailed Analysis of Ubiquiti Vulnerabilities
CVE-2026-34908 involves improper access control, allowing unauthorized modifications to UniFi OS devices. Meanwhile, CVE-2026-34909 enables attackers to perform path traversal attacks, granting them access to and control over critical files within the operating system. The final flaw, CVE-2026-34910, is characterized by inadequate input validation, facilitating command injection attacks over the network.
Ubiquiti has confirmed that UniFi OS Server version 5.0.8 has been released to address these vulnerabilities. Despite the absence of an official statement on the vulnerabilities’ active exploitation, user reports on forums and Reddit suggest that they have been used to create rogue administrator accounts, indicating possible zero-day exploitation.
Exploitation Techniques and Security Implications
A report from BishopFox details how CVE-2026-34908 and CVE-2026-34909 exploit flaws in NGINX’s request handling. By bypassing authentication gateways, these vulnerabilities allow unauthorized access to internal routes. The subsequent flaw, CVE-2026-34910, arises from a lack of validation in update package names, leading to command injection opportunities.
Security researchers have tested these exploits on a virtual machine running UniFi OS version 5.0.6, confirming the vulnerability in a controlled environment. This test involved using a benign request to verify the unauthenticated access path.
Recommendations and Broader Security Context
CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the urgency for federal agencies to apply patches swiftly. The directive aligns with BOD 26-04 requirements, mandating patch deployment within three days.
In addition to Ubiquiti’s vulnerabilities, CISA highlights other significant threats, including a critical OS command injection flaw in Lantronix EDS5000 devices and several other vulnerabilities collectively known as BRIDGE:BREAK. These issues underscore the broader cybersecurity challenges facing network infrastructure today.
The importance of securing UniFi OS devices is paramount, given their role in managing extensive network infrastructures. Effective mitigation of these vulnerabilities is crucial to prevent potential lateral movement by attackers within enterprise environments.
