Ubiquiti UniFi OS devices targeted: CISA orders the patching of critical bugs

Having network access is all it takes for an attacker to access files, run arbitrary commands, and completely compromise a wide range of unpatched UniFi OS systems, including routers, firewalls, gateways, network video recorders, corporate software, and others. CISA warns that attackers are already exploiting critical bugs.

Ubiquiti has disclosed and patched a series of critical vulnerabilities over the past month.

The US cyber watchdog, the Cybersecurity and Infrastructure Security Agency (CISA), warns that threat actors are actively exploiting three perfect 10 out of 10 severity score bugs patched by the vendor on May 21st, 2026. Since then, several more critical bugs have been unveiled by Ubiquiti.

CISA added 3 critical vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating that attackers have been observed exploiting them in the wild. CISA ordered federal agencies to plug the holes by June 26th, 2026.

Attackers are building a botnet of vulnerable UniFi devices. Probes are hitting honeypots, indicating that hackers are opportunistically seeking exposed devices. Researchers at PwnDefend caught live attacks within days of Ubiquiti publishing the critical security advisory.

In the observed exploitation campaign, attackers launched exploits from IP address 176.65.148.183, using the Mirai loader to install botnet malware on exposed UniFi routers. However, hackers can use the bugs partially or combine/chain them to achieve root/system-level access.

“There’s a lot of room for options,” the researchers noted in a report.

All 3 bugs are “as bad as it gets.”

The improper access control vulnerability, tracked as CVE-2026-34908, enables attackers with access to the network to make unauthorized changes to UniFi OS systems.

The second path traversal bug, CVE-2026-34909, can be exploited to bypass normal file access restrictions and manipulate files on the underlying system, potentially allowing hackers to gain system-level access.

An improper input validation critical vulnerability, tracked as CVE-2026-34910, enables attackers with network access to execute command injection attacks.

Patches also addressed 2 additional, less severe bugs.

All 3 bugs impact Unifi OS systems, ranging from network appliances to identity management systems:

• UniFi OS Server version 5.0.6 and earlier.
• UniFi Cloud Gateways running UCG-Industrial Version 5.0.13 and earlier.
• UniFi Dream Machine routers, security gateways/firewalls, network controllers, video recorders, and cloud gateway devices, UniFi Dream Machines, Enterprise Fortress Gateways, Dream Walls, Dream Routers, UniFi Express 7, UniFi Network Video Recorders, and other devices running software version 5.0.16 and earlier.
• UniFi Dream Router 5G devices, enterprise video recorders, and Cloud Key network controllers running software version 5.0.17 and earlier.
• UniFi Network Video Recorder second-generation devices ( UNVR-G2 and UNVR-G2-Pro, software version 5.1.11 and earlier
• UniFi Dream Machine Beast routers and UniFi Network Attached Storage (NAS) devices running software version 5.1.8 and earlier.
• UniFi Express networking devices running software version 4.0.13 and earlier.

But there’s more. Two weeks ago, Ubiquiti released another security advisory bulletin fixing new critical bugs discovered after the prior advisory.

The most serious one is another improper input validation bug rated 9.9 out of 10, affecting many of the devices already mentioned. It allows threat actors with access to the network and low privileges to escalate privileges within UniFi OS devices or instances.

Another disclosed, less severe bug eliminates the need for low-privileged access. The latest vulnerabilities haven’t been flagged by CISA yet, meaning that active exploitation has not yet been detected.

---

Unlock more exclusive Cybernews content on YouTube.