Ubiquiti has released urgent security patches for five critical and high-severity vulnerabilities across its UniFi OS platform, addressing flaws that could allow remote attackers to execute arbitrary commands and escalate privileges on a wide range of UniFi devices.
The flaws also span improper access control and path traversal, affecting a broad range of UniFi OS devices, including Dream Machines, Network Video Recorders, and Cloud Gateways, placing countless enterprise and home network deployments at risk.
The vulnerabilities, tracked as CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, and CVE-2026-34911, affect dozens of UniFi product lines from the UCG-Industrial gateway to UNAS network-attached storage appliances.
Critical UniFi Vulnerabilities patched
CVE-2026-33000 (CVSS 9.1 – Critical): A network-accessible attacker with high privileges can exploit an Improper Input Validation flaw in UniFi OS Server (version 5.0.6 and earlier) to perform Command Injection, potentially executing arbitrary OS-level commands.
Reported by researcher V3rlust, this flaw requires no user interaction but does demand existing elevated access. The fix requires updating UniFi OS Server to version 5.0.8 or later.
CVE-2026-34908 (CVSS 10.0 – Critical): Rated at the maximum possible CVSS score, this Improper Access Control vulnerability requires no authentication whatsoever.
A network-adjacent attacker can exploit it to make unauthorized changes to the system, affecting a wide range of products, including UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UCG-Industrial, EFG, UDW, UNVR series, UCG-Ultra, UCG-Max, and UCG-Fiber. Discovered by Duc Anh Nguyen (@heckintosh_), affected devices must be updated to version 5.1.12 or later.
CVE-2026-34909 (CVSS 10.0 – Critical): Another maximum-severity flaw, this Path Traversal vulnerability allows unauthenticated network attackers to access files on the underlying system and manipulate them to gain access to underlying accounts.
The vulnerability is the broadest in scope and also impacts UniFi Express (versions 4.0.13 and earlier), which requires a dedicated patch to version 4.0.14 or later. Credited to Abdulaziz Almadhi of Catchify Security, this flaw mirrors the attack pattern seen in earlier UniFi path traversal disclosures.
CVE-2026-34910 (CVSS 10.0 – Critical): A third maximum-severity issue, this Improper Input Validation vulnerability enables unauthenticated Command Injection across the same broad set of UniFi OS devices.
Discovered by researcher John Carroll, successful exploitation could allow an attacker to execute arbitrary commands remotely without any authentication or user interaction. Patches align with those for CVE-2026-34908 and require version 5.1.12 or later on most affected devices.
CVE-2026-34911 (CVSS 7.7 – High): Discovered by Hakai Security, this Path Traversal flaw requires only low privileges to exploit. An attacker with minimal network access can traverse directory boundaries to access sensitive files and obtain confidential information from the underlying system.
While rated lower than the other four, its low-privilege exploitation requirement makes it particularly dangerous during post-compromise lateral movement.
Affected Products & Patch Versions
The vulnerabilities span a large portion of Ubiquiti’s hardware ecosystem. The following patches are required immediately:
- UCG-Industrial → Update to 5.1.12 or later
- UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber → Update to 5.1.12 or later
- UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise → Update to 5.1.12 or later
- UNVR-G2 and UNVR-G2-Pro → Update to 5.1.12 or later
- UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8 → Update to 5.1.10 or later
- UDM-Beast → Update to 5.1.11 or later
- UniFi OS Server → Update to 5.0.8 or later
- Express (CVE-2026-34909 only) → Update to 4.0.14 or later
Mitigation
With three of five vulnerabilities rated at the maximum CVSS score of 10.0 and requiring zero authentication, according to Ubiquiti’s advisory, organizations running affected UniFi OS devices should treat these patches as emergency updates rather than routine maintenance.
Administrators should apply firmware updates immediately through the UniFi OS Web UI under Settings → System → Check for Updates, restrict management interface access to trusted networks or VPN-gated hosts, and review audit logs for any unauthorized configuration changes.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
