Ubiquiti Patches Three CVSS 10.0 UniFi OS Flaws — All Remotely Exploitable Without a Login

Ubiquiti has patched three maximum-severity flaws in UniFi OS — the operating system behind its gateways, Dream Machines, and network video recorders. All three are rated CVSS 10.0, and all three are remotely exploitable by an attacker with no privileges.

Share
Line-art row of three network devices — a gateway, a router and a video recorder — each cracked, with broadcast arcs above; one crack holds a red dot.

Key Takeaways

  • Ubiquiti disclosed three separate CVSS 10.0 vulnerabilities in UniFi OS on May 22, 2026 — CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection via improper input validation).
  • All three flaws are remotely exploitable by an unauthenticated attacker with no login, and they affect the full UniFi OS product family: UCG-series gateways, UDM appliances, UNVR recorders, and standalone UniFi OS Server software.
  • Defenders should upgrade appliance firmware to Version 5.1.12 or later and UniFi OS Server software to Version 5.0.8 or later immediately, and take UniFi management interfaces off the public internet.

Three maximum-severity flaws in the same operating system, disclosed in the same advisory, each independently rated the highest score the CVSS scale allows — this is not a single patch-Tuesday item but a product-quality signal worth weighing in any vendor-risk review.

NEW YORK, NY — On May 22, 2026, Ubiquiti released security updates for three maximum-severity vulnerabilities in UniFi OS, the operating system behind its widely deployed networking and security appliances. All three carry a CVSS score of 10.0, the highest the scale allows, and all three are remotely exploitable by an attacker with no privileges. CVE-2026-34908 is an improper-access-control flaw that lets an attacker make unauthorized changes to affected systems; CVE-2026-34909 is a path-traversal flaw that lets an attacker access files on the underlying system; and CVE-2026-34910 is an improper-input-validation flaw that enables a command-injection attack once the attacker has network access.

The flaws affect a broad swath of Ubiquiti's product line, and the vendor's fix requires upgrading appliance firmware to Version 5.1.12 or later and the standalone UniFi OS Server software to Version 5.0.8 or later. The disclosure was anchored by Ubiquiti's own security advisory and reported by BleepingComputer, Cybersecurity News, Cybernews, and The Hacker Wire.

Disclosure Overview
FieldDetails
Vendor and ProductUbiquiti — UniFi OS, the operating system behind its networking and security appliances
Disclosure DateMay 22, 2026 — Ubiquiti published a security advisory and released updates
VulnerabilitiesCVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), CVE-2026-34910 (improper input validation enabling command injection)
SeverityAll three rated CVSS 10.0 — maximum severity
ExploitabilityAll three remotely exploitable by an attacker with no privileges and no authentication
Affected ProductsUniFi Cloud Gateway (UCG) series, UniFi Dream Machine (UDM) appliances, UniFi Network Video Recorders (UNVR), and standalone UniFi OS Server software — including the UDR-5G, ENVR-Core, and UCK enterprise models
RemediationUpgrade appliance firmware to Version 5.1.12 or later; upgrade standalone UniFi OS Server software to Version 5.0.8 or later
In-the-Wild ExploitationNone reported at disclosure — no confirmed exploitation, no public proof-of-concept

What Happened

Ubiquiti's May 22, 2026 security advisory disclosed three distinct vulnerabilities in UniFi OS, the shared operating system layer running across its entire networking-appliance product line. Each vulnerability carries an independent CVSS score of 10.0 — the maximum the scale permits, reserved for flaws that are remotely reachable, require no privileges or authentication, are simple to exploit, and fully compromise confidentiality, integrity, and availability. All three meet that bar simultaneously.

The three CVEs address separate attack surfaces. CVE-2026-34908 is an improper-access-control flaw that lets an attacker make unauthorized changes to affected systems, bypassing the controls governing who can alter a device's state. CVE-2026-34909 is a path-traversal flaw enabling an attacker to reach and read files on the underlying system that should be out of bounds. CVE-2026-34910 is an improper-input-validation flaw that enables command injection: malformed input the system fails to validate can be turned into commands the device executes. Of the three, the command-injection flaw in CVE-2026-34910 carries the most direct path to a full foothold, because executing commands on a network-edge gateway means executing commands on the device that fronts the entire network behind it.

The affected product families are the UniFi Cloud Gateway (UCG) series, UniFi Dream Machine (UDM) appliances, UniFi Network Video Recorders (UNVR), and the standalone UniFi OS Server software, along with specific named models including the UDR-5G, ENVR-Core, and UCK enterprise units. The remediation path differs by form factor: appliance firmware must be upgraded to Version 5.1.12 or later, while the standalone UniFi OS Server software must be upgraded to Version 5.0.8 or later. At the time of disclosure, no in-the-wild exploitation had been reported and no public proof-of-concept code was known.

Three Separate Maximum-Severity Flaws in One Operating System

What sets this disclosure apart is not a single dramatic bug but the combination: three separate vulnerabilities, each independently rated CVSS 10.0, all landing in the same advisory for the same operating system. A CVSS score of 10.0 is not a rounding-up convention — it is a strict threshold reserved for vulnerabilities that are network-accessible, require no user interaction or prior authentication, are low in attack complexity, and achieve full impact on all three of the CIA triad's pillars: confidentiality, integrity, and availability. Every one of these three flaws meets that definition on its own. Three at once, in a single operating system, is the kind of density that belongs in a vendor-risk review rather than in a routine patch log. Even well-run security programs disclose critical vulnerabilities; three simultaneous CVSS 10.0 findings in the same OS layer is a data point about the security maturity of the product itself.

What Each Flaw Does — And Why the Command Injection Is the Sharpest Edge

The three CVEs are mechanically distinct. CVE-2026-34908's improper-access-control weakness means the system fails to enforce the boundaries between what an unauthenticated attacker is and is not allowed to change — so a remote request with no credentials can modify device state it should never reach. CVE-2026-34909's path-traversal weakness means the system fails to constrain file-system access, so a crafted request can read files anywhere on the underlying OS that the application process has access to — configuration files, credentials, logs. CVE-2026-34910's improper-input-validation weakness is the most operationally severe of the three: the system does not sanitize input before passing it to an execution context, which means an attacker who can reach the device over the network can inject arbitrary commands. A command-injection entry point on a gateway device is an entry point into the network the gateway protects — not just the device itself. It is not confirmed whether the three flaws can be chained into a single end-to-end exploit; each is independently rated CVSS 10.0 and chaining is plausible, but it has not been demonstrated in published research.

A Broad Product Line Sitting at the Network Edge

The affected footprint is wide, and its location matters. UniFi devices are network-edge appliances — gateways, routers, and recorders that face the internet and govern access to everything behind them. The named product families (UCG, UDM, UNVR) and models (UDR-5G, ENVR-Core, UCK) represent the default networking stack for a large population of homes, small businesses, and enterprises, a significant share of which are managed by MSPs. That turns a per-device patching obligation into a fleet-wide one: an MSP managing dozens or hundreds of client gateways must now treat each as an internet-facing CVSS 10.0 candidate until firmware is updated. The same network-edge dynamic that made the NGINX Rift remote-code-execution flaw and the Huawei zero-day behind Luxembourg's nationwide telecom outage consequential applies here: the device at the perimeter is the device that controls the inside. The full enumerated list of affected model numbers and their per-model fixed firmware versions has not been published in the reporting reviewed for this account; a direct check against Ubiquiti's own advisory is essential for any organization inventorying exposure.

The Three CVSS 10.0 UniFi OS Vulnerabilities
FieldDetails
CVE-2026-34908Improper access control — lets an attacker make unauthorized changes to affected systems
CVE-2026-34909Path traversal — lets an attacker access files on the underlying system
CVE-2026-34910Improper input validation — enables a command-injection attack once the attacker has network access
Shared PropertiesAll three rated CVSS 10.0; all three remotely exploitable; all three require no privileges and no authentication
Affected SoftwareUniFi OS — running on UCG-series gateways, UDM appliances, UNVR recorders, and as standalone UniFi OS Server software
Named ModelsIncludes UDR-5G, ENVR-Core, and UCK enterprise units, in addition to the UCG, UDM, and UNVR families
Fixed VersionsAppliance firmware: Version 5.1.12 or later. Standalone UniFi OS Server software: Version 5.0.8 or later
ChainabilityNot confirmed — each flaw is independently CVSS 10.0; whether the three can be chained into one end-to-end exploit is plausible but unverified

Scope and Impact

The stakes of this disclosure come from where UniFi gear sits. These are network-edge devices — the gateway, router, or recorder that fronts the network and faces the internet. A vulnerability that is unauthenticated, remote, and lands on an edge device is not a vulnerability in one box; it is a vulnerability in everything behind that box. A command-injection foothold on a UniFi gateway, by way of CVE-2026-34910, is a foothold on the entire internal network the gateway protects. That places this advisory squarely in the heavy 2026 run of critical network-edge-device disclosures The CyberSignal has tracked, alongside the Cisco Catalyst SD-WAN authentication-bypass flaw attributed to UAT-8616, the CVSS 10.0 Cisco Secure Workload site-admin flaw, and the actively exploited Palo Alto PAN-OS zero-day CVE-2026-0300. The 2026 Verizon DBIR finding that vulnerability exploitation has overtaken credential theft as the top initial-access vector frames why unauthenticated, remote, maximum-severity edge-device flaws demand priority treatment.

The exposure is amplified by who runs UniFi. The product line is the default networking stack for a huge population of small businesses, and a large share of those environments are managed by MSPs. That turns a per-device patching task into a fleet-wide obligation: an MSP managing dozens or hundreds of client gateways now has dozens or hundreds of internet-facing CVSS 10.0 candidates, and a compromised client gateway is a foothold into that client's full network. The same network-edge logic that made the NGINX Rift remote-code-execution flaw and the Huawei zero-day behind Luxembourg's nationwide telecom outage consequential applies here — the device at the edge is the device that controls everything inside it.

Several things about this disclosure are not confirmed, and this account should not imply otherwise. No in-the-wild exploitation had been reported at the time of disclosure, and no public proof-of-concept code was known. It is not confirmed whether the three flaws can be chained into a single end-to-end exploit — each is independently rated CVSS 10.0, so chaining is plausible, but it has not been demonstrated. The researchers who discovered and reported the flaws have not been named publicly, the full enumerated list of affected model numbers and their per-model fixed versions has not been published in the reporting reviewed here, the number of internet-exposed UniFi devices is not known, and it is not yet clear whether CISA will add any of the three CVEs to its Known Exploited Vulnerabilities catalog. Absence of reported exploitation is not the same as safety; it is a snapshot at disclosure.

Response and Attribution

The operational response is inventory-driven and urgent. Organizations should enumerate every UniFi device they run — UCG-series gateways, UDM appliances, UNVR recorders, UCK units, the UDR-5G, the ENVR-Core, and any standalone UniFi OS Server installs — and upgrade appliance firmware to Version 5.1.12 or later and UniFi OS Server software to Version 5.0.8 or later immediately. Because all three flaws are unauthenticated and remotely exploitable, internet exposure is the dominant risk factor: UniFi management interfaces should not be reachable from the public internet, and where remote management is needed it should be firewalled to an administrative network or placed behind a VPN. This practice applies equally to the Ivanti EPMM zero-day CVE-2026-6973 CISA KEV class of mobile-device-management edge exposure and to the broader pattern of edge-device flaws earning KEV listings in 2026. Affected devices should be audited for unexpected configuration changes, unusual file access, and signs of unexpected processes; after patching, device credentials should be rotated and connected-network activity reviewed. SOC teams should hunt for anomalous outbound connections from UniFi appliances and treat gateways and NVRs as in-scope monitored assets rather than invisible infrastructure.

The MSP dimension deserves its own emphasis. UniFi is heavily used in MSP-managed small-business environments, which makes this a fleet-wide patching obligation across every client an MSP touches — a single missed client gateway is a single internet-facing CVSS 10.0 foothold into that client's network. For CISOs, the broader takeaway is strategic: network-edge devices remain a dominant 2026 attack surface, and three simultaneous CVSS 10.0 flaws in one product's operating system is a vendor-quality signal worth recording in vendor-risk reviews. Attribution here is limited by design — no threat actor is involved because no exploitation has been reported, and the researchers behind the discovery have not been publicly identified. The defensive posture should not wait on that picture filling in; with unauthenticated, remote flaws on edge devices, exposure is the variable defenders can control, and patching plus taking management interfaces off the internet is the entire job.


The CyberSignal Analysis

Signal 01 — The Edge Device Is the Network Foothold

Most coverage of this advisory will reduce to a single instruction: three max-severity UniFi flaws, patch now. The instruction is correct, but it understates the stakes. UniFi gear is not endpoint equipment that, if compromised, costs you one machine. It is edge equipment — the gateway, the router, the recorder that sits between the internet and everything an organization runs. A command-injection foothold on a UniFi gateway is not access to a device; it is access to the position from which the entire internal network can be observed and reached. That is why an unauthenticated, remote CVSS 10.0 flaw on this class of hardware is categorically different from the same score on an internal application. The flaw's severity and the device's network position compound each other, and the defender takeaway is to treat gateways and NVRs as crown-jewel assets, not as plumbing.

Signal 02 — The MSP Multiplier Turns One Patch Into Thousands

The detail that most coverage will miss is who actually runs UniFi. It is the default networking stack for an enormous population of small businesses, and that population is disproportionately managed by MSPs. For a managed-service provider, this advisory is not a single patching task; it is the same task replicated across every client, and the failure mode is asymmetric — patch ninety-nine client gateways and miss one, and that one is an internet-facing CVSS 10.0 entry point into a client network. The MSP multiplier means the real-world exposed surface is far larger than a raw device count suggests, and it means remediation has to be driven centrally, from an MSP's own inventory, rather than left to individual small businesses that may not know they own a vulnerable gateway.

Signal 03 — Three CVSS 10.0 Flaws at Once Is a Vendor Signal

Individually, a CVSS 10.0 vulnerability is a serious finding. Three of them, in one operating system, in one advisory, is something else — it is a data point about the security maturity of the product itself. It does not, on its own, condemn a vendor; even well-run security programs ship critical flaws, and disclosing three together with fixes is the responsible outcome. But it is the kind of signal that belongs in a vendor-risk review rather than being filed and forgotten. Network-edge devices have been a dominant attack surface across all of 2026, and the pattern of repeated maximum-severity flaws in edge hardware — across multiple vendors — should inform how organizations weigh the gear they place at the perimeter. The takeaway is not to abandon a vendor over one advisory; it is to track the trend line and let it shape procurement and segmentation decisions.


Sources

TypeSource
PrimaryUbiquiti — UniFi OS Security Advisory
ReportingBleepingComputer — Ubiquiti Patches Three Max-Severity UniFi OS Vulnerabilities
ReportingCybersecurity News — UniFi OS Vulnerabilities
ReportingCybernews — Ubiquiti UniFi Critical Vulnerability
ReportingThe Hacker Wire — UniFi OS Critical Command Injection CVE-2026-34910
RelatedThe CyberSignal — Cisco Secure Workload CVE-2026-20223 Site-Admin Flaw
RelatedThe CyberSignal — Cisco Catalyst SD-WAN CVE-2026-20182 Authentication Bypass
RelatedThe CyberSignal — Palo Alto PAN-OS CVE-2026-0300 Zero-Day Exploited
RelatedThe CyberSignal — NGINX Rift CVE-2026-42945 Rewrite-Module Remote Code Execution
RelatedThe CyberSignal — Luxembourg's Telecom Network Crash and the Huawei Zero-Day Behind It