Ubiquiti Patches Three CVSS 10.0 Flaws in UniFi OS

Ubiquiti has released security updates addressing five vulnerabilities in its UniFi Operating System, including three rated at the maximum CVSS score of 10.0. The flaws allow unauthenticated remote attackers to fully compromise affected devices through low-complexity attacks.

Censys reports approximately 100,000 UniFi OS endpoints are directly accessible from the internet, with roughly half located in the United States. Organizations running UniFi Cloud Gateways, Dream Machine appliances, Network Video Recorders, or UniFi OS Server software should apply patches immediately.

The Three Maximum-Severity Vulnerabilities

The critical trio enables a complete attack chain from initial access to persistent compromise:

CVE-2026-34908 is an improper access control weakness that allows attackers to make unauthorized modifications to targeted systems. The flaw bypasses authentication entirely, enabling configuration changes without credentials.

CVE-2026-34909 is a path traversal vulnerability that provides access to arbitrary files on the underlying system. Researchers note this can be chained to compromise system accounts, escalating from file read to full access.

CVE-2026-34910 stems from improper input validation and permits command injection attacks. Once an attacker gains network access, this flaw delivers arbitrary code execution with system privileges.

Ubiquiti classified all three as exploitable remotely, requiring no authentication and no user interaction. The attack complexity is rated low.

Additional Flaws Compound the Risk

Two more vulnerabilities were patched in the same bulletin. CVE-2026-33000, rated critical, is another command injection flaw. CVE-2026-34911 carries a high severity rating and enables information disclosure that could aid further exploitation.

The combination means attackers have multiple entry points. Even if one path is blocked, others remain viable until all patches are applied.

Why This Matters

UniFi equipment is deployed extensively in small-to-medium businesses, home offices, and enterprise branch locations. The devices often sit at network perimeters, handling routing, firewall duties, and VPN termination. A compromised UniFi appliance gives attackers a foothold inside the network with visibility into all traffic.

The 100,000 exposed endpoints represent a significant attack surface. This situation mirrors the ongoing targeting of edge devices we've documented extensively, including the recent Cisco Secure Workload vulnerability also carrying a CVSS 10.0 score. Network appliances have become a primary target for threat actors seeking persistent access.

Security researchers discovered these flaws through Ubiquiti's HackerOne bug bounty program. At the time of disclosure, no active exploitation had been confirmed. But public disclosure changes the calculus—proof-of-concept code typically follows within days for maximum-severity vulnerabilities. The 2026 Verizon DBIR highlighted that vulnerability exploitation has become the leading initial access vector, making rapid patching essential.

Affected Products and Patched Versions

The vulnerabilities impact UniFi OS across multiple hardware lines:

• UniFi Cloud Gateway devices
• UniFi Dream Machine and Dream Machine Pro
• UniFi Network Video Recorders
• UniFi OS Server software

Ubiquiti has released patched firmware for all affected products. UniFi OS Server users should update to version 5.0.8 or later. Hardware-specific firmware versions vary by product line—check the Ubiquiti security advisory for exact version numbers.

Recommended Mitigations

1. Apply firmware updates immediately on all UniFi OS devices, prioritizing internet-facing appliances
2. Audit network exposure by checking whether management interfaces are accessible from the internet
3. Restrict management access to internal networks or VPN-only connections
4. Review device logs for signs of unauthorized access attempts or configuration changes
5. Enable automatic updates where operationally feasible to reduce future patch delays

Organizations using UniFi Protect cameras should note that while the NVR component is affected, cameras themselves run separate firmware. Still, a compromised NVR could intercept or manipulate video feeds.

For those unable to patch immediately, network-level controls blocking external access to UniFi management ports provide interim protection. But this only buys time—the flaws remain exploitable from inside the network until patched. Organizations seeking deeper understanding of how breaches unfold should review our data breach fundamentals guide.