HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Ubiquiti Patches Three Critical UniFi OS Vulnerabilities Threatening Hundreds of Thousands of Network Devices

Ubiquiti released emergency patches for three maximum‑severity UniFi OS flaws that allow remote attackers to change configurations, read files, or execute commands without authentication. The vulnerabilities affect roughly 100 k Internet‑exposed devices, making rapid remediation essential for third‑party risk management.

LiveThreat™ Intelligence · 📅 May 22, 2026· 📰 bleepingcomputer.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Ubiquiti Patches Three Critical UniFi OS Vulnerabilities Affecting Hundreds of Thousands of Network Devices

What Happened – Ubiquiti released patches for three maximum‑severity flaws (CVE‑2026‑34908, CVE‑2026‑34909, CVE‑2026‑34910) in UniFi OS that could be exploited remotely without authentication. The bugs involve improper access control, path traversal, and command injection.

Why It Matters for TPRM

  • Unpatched UniFi OS devices expose third‑party data flows and network control to attackers.
  • The vulnerabilities affect an estimated 100 k Internet‑exposed endpoints, many in the United States.
  • Exploitation could lead to unauthorized configuration changes, data theft, or device takeover, impacting downstream vendors and customers.

Who Is Affected – Enterprises and service providers that rely on UniFi Consoles for networking, video surveillance (UniFi Protect), access control, VoIP (UniFi Talk), and IoT connectivity across sectors such as technology, retail, manufacturing, and government.

Recommended Actions

  • Verify that all UniFi OS devices are running the latest firmware released on May 22 2026.
  • Conduct an inventory of exposed UniFi endpoints and prioritize patching for Internet‑facing assets.
  • Review network segmentation and least‑privilege configurations to mitigate potential post‑exploitation impact.

Technical Notes

  • CVE‑2026‑34908: Improper Access Control → unauthorized system changes.
  • CVE‑2026‑34909: Path Traversal → file system read/write access.
  • CVE‑2026‑34910: Improper Input Validation → remote command injection.
  • Additional patches: CVE‑2026‑33000 (command injection) and CVE‑2026‑34911 (information disclosure).
  • No public evidence of active exploitation, but the flaws are low‑complexity and were reported via HackerOne.

Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →