Ubiquiti Patches Three Critical UniFi OS Vulnerabilities Affecting Hundreds of Thousands of Network Devices
What Happened – Ubiquiti released patches for three maximum‑severity flaws (CVE‑2026‑34908, CVE‑2026‑34909, CVE‑2026‑34910) in UniFi OS that could be exploited remotely without authentication. The bugs involve improper access control, path traversal, and command injection.
Why It Matters for TPRM –
- Unpatched UniFi OS devices expose third‑party data flows and network control to attackers.
- The vulnerabilities affect an estimated 100 k Internet‑exposed endpoints, many in the United States.
- Exploitation could lead to unauthorized configuration changes, data theft, or device takeover, impacting downstream vendors and customers.
Who Is Affected – Enterprises and service providers that rely on UniFi Consoles for networking, video surveillance (UniFi Protect), access control, VoIP (UniFi Talk), and IoT connectivity across sectors such as technology, retail, manufacturing, and government.
Recommended Actions –
- Verify that all UniFi OS devices are running the latest firmware released on May 22 2026.
- Conduct an inventory of exposed UniFi endpoints and prioritize patching for Internet‑facing assets.
- Review network segmentation and least‑privilege configurations to mitigate potential post‑exploitation impact.
Technical Notes –
- CVE‑2026‑34908: Improper Access Control → unauthorized system changes.
- CVE‑2026‑34909: Path Traversal → file system read/write access.
- CVE‑2026‑34910: Improper Input Validation → remote command injection.
- Additional patches: CVE‑2026‑33000 (command injection) and CVE‑2026‑34911 (information disclosure).
- No public evidence of active exploitation, but the flaws are low‑complexity and were reported via HackerOne.
Source: BleepingComputer