Ubiquiti published Security Bulletin 064 on 22 May 2026 disclosing five vulnerabilities in UniFi OS — the operating system running on Ubiquiti’s Dream Machine, Dream Router, and Cloud Gateway product lines, which serve as the management controller for UniFi Wi-Fi access points, switches, and other network infrastructure. Three of the five vulnerabilities score CVSS 10.0, the maximum possible severity, and are all exploitable without authentication from the network.
UniFi OS-based controllers are widely deployed in enterprise environments as the management backbone for Ubiquiti Wi-Fi infrastructure. A compromised UniFi OS controller gives an attacker administrative control over all connected access points, switches, and network policies — including the ability to reconfigure wireless networks, monitor traffic, create rogue SSIDs, and pivot to connected devices.
The Three CVSS 10.0 Vulnerabilities
CVE-2026-34908 — Improper Access Control (CVSS 10.0): An access control bypass in the UniFi OS web management interface allows an unauthenticated remote attacker to access administrative functionality without credentials. The specific code path permits direct API calls to administrative endpoints without a valid session token. An attacker with network access to the controller’s management port (default TCP 443) can exploit this to read and modify device configuration.
CVE-2026-34909 — Path Traversal (CVSS 10.0): A path traversal vulnerability in UniFi OS’s file serving component allows an unauthenticated attacker to read arbitrary files from the device filesystem and, in certain configurations, write files to arbitrary paths. Reading /etc/shadow provides hashed credentials; writing to specific paths enables persistent backdoor deployment.
CVE-2026-34910 — Command Injection (CVSS 10.0): An OS command injection vulnerability in a UniFi OS network diagnostic function allows an unauthenticated attacker to inject shell commands executed in the context of the root process. Successful exploitation provides a root shell on the device, the highest possible access level.
Additional Vulnerabilities in the Bulletin
CVE-2026-33000 (CVSS 9.1): An authentication bypass requiring high privileges — exploitable by an authenticated administrator-level attacker to escalate to system-level operations beyond normal administrative scope.
CVE-2026-34911 (CVSS 7.7): An information disclosure vulnerability requiring low-privilege access that exposes sensitive configuration data.
Attack Chain Possibility
The three CVSS 10.0 vulnerabilities in combination present a realistic attack chain: CVE-2026-34908 to gain initial unauthenticated administrative access, followed by CVE-2026-34909 to extract credentials or configuration data, followed by CVE-2026-34910 for persistent root-level access. Each vulnerability is independently exploitable without authentication; chained, they provide a complete, stealthy compromise of the network infrastructure controller.
Affected Products
Ubiquiti’s bulletin identifies all UniFi OS versions prior to the fix as affected. The patch is available via the UniFi OS update mechanism in the controller interface. Specific model lines affected include:
- UniFi Dream Machine (UDM)
- UniFi Dream Machine Pro (UDM Pro)
- UniFi Dream Machine Special Edition (UDM SE)
- UniFi Dream Router (UDR)
- UniFi Cloud Gateway Ultra (UCG Ultra)
- UniFi Cloud Gateway Max (UCG Max)
Access points and switches managed by UniFi OS controllers are not directly vulnerable but would be under attacker control if the controller is compromised.
Immediate Actions
Update UniFi OS immediately: Access the controller at unifi.ui.com or the local management IP, navigate to System → Updates, and apply the latest UniFi OS version. The update typically takes 3–5 minutes.
Restrict management access: The management interface (TCP 443) should not be accessible from untrusted networks. If remote management is required, restrict access via source IP allowlisting or place the management interface behind a VPN. Review cloud access settings in unifi.ui.com to ensure remote management is authenticated correctly.
Audit for compromise indicators: If the controller was accessible from untrusted networks while on a vulnerable version, review the UniFi OS logs (System → System Log) for unusual administrative API calls, configuration changes not initiated by known administrators, or new SSID or network policy additions. Check for any new SSH keys added to the controller.
Share this article