CISA Confirms Ubiquiti UniFi OS Flaws Now Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog on Monday, including three maximum-severity flaws in Ubiquiti UniFi OS that allow unauthenticated attackers to fully compromise network appliances.

Federal civilian agencies must patch by June 26, 2026—just three days from the announcement—under Binding Operational Directive 26-04. The compressed timeline reflects the severity of confirmed exploitation in the wild.

The Vulnerabilities Under Attack

All three Ubiquiti flaws carry CVSS scores of 10.0, the maximum severity rating:

CVE-2026-34908 bypasses access controls entirely, allowing unauthenticated attackers to modify system configurations, disable security features, and manipulate device behavior. This serves as the initial foothold in observed attack chains.

CVE-2026-34909 exploits a path traversal weakness to read sensitive files from the underlying operating system. Attackers use this to harvest credentials and configuration data that enable deeper compromise.

CVE-2026-34910 allows command injection through improper input validation. Once an attacker establishes a foothold, this flaw delivers arbitrary code execution with system-level privileges.

We covered the initial patch release last month when Ubiquiti disclosed these flaws in Security Advisory Bulletin 064. At that time, no active exploitation had been confirmed. That changed when CISA flagged real-world attacks this week.

Lantronix Flaw Also Added

CISA's update includes a fourth vulnerability affecting industrial device servers. CVE-2025-67038 is a critical command injection flaw in the Lantronix EDS5000 HTTP RPC module that grants attackers root-level access. Organizations running firmware version 2.1.0.0R3 should upgrade to 2.2.0.0R1 immediately.

The Lantronix devices often appear in industrial control environments, making them attractive targets for threat actors seeking persistent access to operational technology networks. This adds to the growing list of edge device vulnerabilities CISA has prioritized throughout 2026.

Attack Chain Capabilities

The three UniFi OS vulnerabilities chain together for complete device takeover. An attacker with network access can:

1. Exploit CVE-2026-34908 to bypass authentication and modify configurations
2. Use CVE-2026-34909 to extract credentials and sensitive system files
3. Leverage CVE-2026-34910 to execute arbitrary commands with root privileges

Compromised UniFi controllers become pivot points for lateral movement. The devices handle routing, firewall enforcement, and often terminate VPN connections—giving attackers visibility into network traffic and access to internal segments.

CISA noted that ransomware campaign involvement remains "unknown" for these flaws. However, network appliance compromises regularly serve as entry points for ransomware operators who purchase access from initial access brokers.

Who Needs to Act

The vulnerabilities affect UniFi OS across multiple product lines:

• UniFi Dream Machine, Dream Machine Pro, Dream Machine SE, Dream Machine Pro Max
• UniFi Cloud Gateway Ultra, Max, and Fiber variants
• UniFi Network Video Recorders (UNVR, UNVR-Pro, UNVR-Instant)
• UniFi Enterprise Firmware Gateway
• UCK, UCK-Enterprise, and UCKP controllers

Devices running UniFi OS 5.0.16 or earlier require updates. UDR-5G, ENVR-Core, UCK, and UCK-Enterprise users should update to version 5.0.17 or later. All other affected devices need version 5.0.8 at minimum.

Bishop Fox released a free detection script on GitHub to help organizations identify vulnerable devices in their environments. The script checks firmware versions and network exposure.

Why This Matters

The month-long gap between patch release and confirmed exploitation is shorter than average but follows a predictable pattern. Threat actors monitor security advisories, reverse-engineer patches, and develop exploits—sometimes within days. Organizations delaying updates provide attackers a window of opportunity.

Censys identified approximately 100,000 UniFi OS endpoints accessible from the internet at the time of initial disclosure. That exposure makes these devices particularly attractive targets. Unlike internal applications that require breaching perimeter defenses first, internet-facing network appliances offer direct access.

The three-day federal deadline signals CISA's assessment of active risk. While private sector organizations aren't bound by BOD 26-04, they face the same threat landscape. The message is clear: patch now or assume compromise.

Recommended Actions

Update all UniFi OS devices to the patched versions listed in Ubiquiti's Security Advisory Bulletin 064. Prioritize any devices with management interfaces exposed to the internet.

Run Bishop Fox's scanner to identify vulnerable systems in your environment. Check whether any UniFi management ports are reachable from outside your network—if so, implement firewall rules blocking external access while patches are applied.

Review device logs for indicators of compromise, including unexpected configuration changes, new administrative accounts, or unusual outbound connections. Understanding common breach indicators helps security teams spot compromise early.

For Lantronix EDS5000 deployments, upgrade to firmware 2.2.0.0R1 and verify that HTTP RPC interfaces aren't exposed to untrusted networks.