Ubiquiti has patched three critical vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, all CVSS 10.0) in UniFi OS that allow unauthenticated remote attackers to make unauthorized system changes, perform path traversal, and execute command injection attacks. These low-complexity flaws affect internet-exposed UniFi OS endpoints and can be exploited without user interaction. While the article confirms patches are available, specific affected and fixed version numbers are not provided in the source material.
Vulnerability Management Ubiquiti patches three critical vulnerabilities in UniFi OS May 22, 2026 Share By SC Staff Ubiquiti has released security updates to address three maximum severity vulnerabilities in UniFi OS that could be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, according to Bleeping Computer. The vulnerabilities, identified as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, allow for unauthorized system changes, path traversal for accessing underlying system files, and command injection attacks, respectively. A second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure (CVE-2026-34911) were also patched. These vulnerabilities can be exploited through low-complexity attacks and were reported via Ubiquiti's bug bounty program. Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints, with the majority in the United States. Ubiquiti products have previously been targeted by state-backed groups and cybercriminals, leading to their use in botnets for malicious activities. In February 2024, the FBI disrupted the Moobot botnet, which utilized compromised Ubiquiti routers. In April 2022, CISA added a critical command injection flaw in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities. Source: Bleeping Computer SC Staff Related Vulnerability Management You can now nominate vulnerabilities for CISA’s KEV with this form Laura French May 22, 2026 CISA seeks to engage the wider community to more quickly identify active exploitation. Vulnerability Management CISA adds Trend Micro Apex One and Langflow flaws to exploited vulnerabilities catalog SC Staff May 22, 2026 The vulnerabilities added are CVE-2025-34291, an origin validation error in Langflow with a CVSS score of 9.4, and CVE-2026-34926, a directory traversal flaw in Trend Micro Apex One (on-premise) with a CVSS score of 6.7. Vulnerability Management Cisco patches critical 10.0 flaw in Secure Workload APIs Steve Zurier May 22, 2026 Cisco patches critical 10.0 API flaw in Secure Workload platform. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Bug Buffer Overflow Disassembly You can skip this ad in 5 seconds