Critical Security Advisory: Ubiquiti Releases Emergency Patches for High-Severity UniFi OS Vulnerabilities

Ubiquiti has issued an urgent security bulletin addressing five critical and high-severity vulnerabilities residing within the UniFi OS platform. These flaws represent a significant security risk, as they provide attack vectors for remote code execution (RCE), unauthorized privilege escalation, and sensitive data exposure across a vast ecosystem of networking hardware.

The vulnerabilities encompass several classes of software defects, including improper input validation, broken access control, and path traversal. The impact is widespread, affecting core enterprise and consumer-grade hardware such as Dream Machines, Network Video Recorders (UNVR), and Cloud Gateways. For administrators, this necessitates an immediate move from routine maintenance to emergency patching protocols.

Technical Breakdown of Identified CVEs

The following vulnerabilities have been assigned unique identifiers and vary in their exploitation requirements and impact levels:

CVE-2026-33000 (CVSS 9.1 – Critical): This flaw involves improper input validation within the UniFi OS Server (versions 5.0.6 and earlier). An attacker possessing high-level privileges can leverage this to perform command injection, effectively executing arbitrary OS-level commands. While researcher V3rlust noted that this requires existing elevated access, the ability to execute system-level commands makes it a potent tool for lateral movement.

CVE-2026-34908 (CVSS 10.0 – Critical): This is a maximum-severity improper access control vulnerability. Discovered by Duc Anh Nguyen, this flaw is particularly dangerous because it requires zero authentication. A network-adjacent attacker can bypass security controls to make unauthorized system changes across various product lines, including the UDM series and UCG-Industrial.

CVE-2026-34909 (CVSS 10.0 – Critical): Identified by Abdulaziz Almadhi of Catchify Security, this path traversal vulnerability allows unauthenticated attackers to traverse the file system. This allows for the reading and manipulation of sensitive files, which can lead to the compromise of underlying system accounts. This flaw specifically impacts the UniFi Express (versions 4.0.13 and earlier).

CVE-2026-34910 (CVSS 10.0 – Critical): Another catastrophic flaw, this unauthenticated command injection vulnerability was discovered by researcher John Carroll. Much like the access control issues, this allows a remote attacker to execute arbitrary code without needing any credentials or user interaction, posing a direct threat to the integrity of the entire UniFi OS environment.

CVE-2026-34911 (CVSS 7.7 – High): Reported by Hakai Security, this path traversal flaw requires only low-level privileges. While the CVSS score is lower than the others, it is highly effective for attackers who have already gained a foothold in a network, allowing them to pivot and extract confidential system data.

Affected Hardware and Required Patch Versions

To secure your environment, please refer to the official Ubiquiti Security Advisory and ensure your firmware meets or exceeds the following versions:

  • UCG-Industrial: Update to 5.1.12 or later
  • UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber: Update to 5.1.12 or later
  • UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise: Update to 5.1.12 or later
  • UNVR-G2 and UNVR-G2-Pro: Update to 5.1.12 or later
  • UNAS series (UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8): Update to 5.1.10 or later
  • UDM-Beast: Update to 5.1.11 or later
  • UniFi OS Server: Update to 5.0.8 or later
  • Express (Specific to CVE-2026-34909): Update to 4.0.14 or later

Immediate Mitigation Steps

Given that three of these vulnerabilities carry a maximum CVSS score of 10.0 and require no authentication, the risk of exploitation is extremely high. We recommend the following immediate actions:

  1. Prioritize Updates: Navigate to Settings → System → Check for Updates within the UniFi OS Web UI and apply all pending security patches immediately.
  2. Network Segmentation: Restrict access to your management interfaces. Ensure that administrative consoles are only accessible via trusted local networks or secured via a VPN.
  3. Audit Log Review: Conduct a thorough review of your system audit logs to check for any unauthorized configuration changes or anomalous login attempts that may indicate a prior compromise.

Related Articles

Back to top button