Key Takeaways
- Three critical Ubiquiti UniFi OS flaws (CVSS 10.0) are being actively exploited in attacks
- Federal agencies must patch within 3 days under BOD 26-04 directive
- Bishop Fox demonstrated the flaws can be chained for full remote code execution with elevated privileges
CISA added three maximum severity Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog on June 24, confirming attackers are already using them. Federal agencies have three days to patch. Everyone else should move faster.
The three flaws, all scoring CVSS 10.0, affect Ubiquiti's UniFi OS. Together they form a chain that gives attackers full remote code execution with elevated privileges on vulnerable devices. No authentication required.
What are the three Ubiquiti UniFi vulnerabilities?
CVE-2026-34908 is an access control bypass. An unauthenticated attacker can make unauthorized changes to a UniFi OS system, potentially compromising it entirely.
CVE-2026-34909 is a directory traversal flaw. Attackers can access sensitive files on the underlying operating system, including configuration files and credentials. That opens the door to account takeover.
CVE-2026-34910 is an input validation failure that enables command injection. An attacker can execute arbitrary OS commands, leading to remote code execution and complete system takeover.
Ubiquiti released patches for all three in May, warning they could be exploited remotely without authentication. Researchers at Bishop Fox later chained them together, proving full system compromise was possible. Bishop Fox published a free detection script on GitHub to help defenders find vulnerable instances.
Why UniFi devices make attractive targets
Ubiquiti's UniFi line is everywhere. Enterprise networks, SMBs, home offices, ISPs. The company has shipped more than 85 million devices globally. UniFi controllers often manage dozens or hundreds of access points, switches, and cameras from a single interface.
Compromise one UniFi controller and you own the network. Access control bypass on a platform that manages your entire infrastructure is about as bad as it gets.
The vulnerabilities require no credentials to exploit. That means any UniFi controller exposed to the internet is a target. Shodan scans typically show thousands of these devices directly reachable.
A fourth flaw affects Lantronix servers
CISA's update also flagged CVE-2025-67038, a critical root-level command injection in Lantronix EDS5000 serial-to-ethernet servers running firmware 2.1.0.0R3. The flaw exists in the HTTP RPC module. When the server logs a failed authentication attempt, it concatenates the supplied username directly into a shell command without sanitization. Classic command injection.
Lantronix has released firmware version 2.2.0.0R1 to fix the issue.
What CISA isn't saying
The agency confirmed active exploitation but shared no details about the attacks. Who's doing it, what sectors are targeted, what the attackers want. The "use in ransomware campaigns" flag is set to "Unknown" for all four CVEs.
That ambiguity doesn't reduce urgency. When CISA adds something to the KEV catalog, it means they have evidence of real-world exploitation. The catalog isn't a warning about theoretical risk. It's confirmation that attacks are happening now.
How to respond
If you run UniFi OS devices, update immediately. Ubiquiti's patches have been available since May. Check whether your controllers are exposed to the internet. If they are, that's a configuration problem you should fix regardless of this specific vulnerability.
Bishop Fox's detection script can identify vulnerable instances in your environment. Run it.
For Lantronix EDS5000 users, upgrade to firmware 2.2.0.0R1. These serial-to-ethernet converters often connect legacy industrial equipment to modern networks. A root-level compromise there can give attackers access to systems that were never designed with internet-era security in mind.
Logicity's Take
The two-month gap between Ubiquiti's May patches and CISA's June exploitation warning is the story. Attackers reverse-engineered the patches, built exploits, and started hitting unpatched systems. This is the standard playbook now. If you treat security updates as optional, you're volunteering as a target. The three-day federal deadline exists because the government learned this lesson the hard way.
Frequently Asked Questions
What is the CISA Known Exploited Vulnerabilities catalog?
It's a list of vulnerabilities that CISA has confirmed are being actively exploited in real attacks. Federal agencies are legally required to patch KEV entries within specified timeframes under Binding Operational Directives.
Are home users affected by the Ubiquiti vulnerabilities?
Yes, if you run UniFi OS devices and haven't updated since May. The flaws require no authentication to exploit. If your controller is accessible from the internet, you're at risk.
What is the CVSS score of these Ubiquiti vulnerabilities?
All three scored CVSS 10.0, the maximum severity rating. This indicates critical flaws that are easy to exploit and lead to complete system compromise.
Is this being used in ransomware attacks?
CISA hasn't confirmed either way. The "use in ransomware campaigns" flag is set to "Unknown" for all four vulnerabilities in this advisory.
Where can I find Bishop Fox's detection script?
Bishop Fox published the script on GitHub. Search for Bishop Fox's official repository for UniFi vulnerability detection tools.
Need Help Implementing This?
Logicity Labs helps organizations audit their network infrastructure for vulnerable devices and implement patch management processes. Contact us for a security assessment.
Source: BleepingComputer
Manaal Khan
Tech & Innovation Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
