CVE-2026-34909
Overview
This vulnerability is a Path Traversal flaw (CWE-22) in Ubiquiti UniFi OS Server and related firmware components. The root cause is insufficient validation of user-supplied file path inputs, allowing traversal sequences to access files outside the intended directory scope. The affected components include UniFi OS Server and various UniFi device firmware versions that handle file requests without proper sanitization.
Vulnerability Description
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
Impact
An attacker with network access can exploit this vulnerability without authentication to read sensitive files from the underlying operating system. This unauthorized file access may expose configuration files, credentials, or other sensitive data, potentially allowing further compromise of user accounts or system components. The breach of file system integrity can facilitate lateral movement within the network and escalate privileges, resulting in full system compromise or data exfiltration.
Solution
Ubiquiti released Security Advisory Bulletin 064 addressing this vulnerability. Users should update UniFi OS Server and all affected firmware, including UniFi Cloud Gateway Industrial, Dream Machine, Dream Machine Pro, and Dream Machine Special Edition, to the patched versions specified in the advisory. Detailed patch instructions and version information are available at https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b. Applying these updates is the recommended remediation to eliminate the path traversal issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is a critical Path Traversal flaw affecting UniFi OS devices, which allows an attacker with network access to traverse the file system and access sensitive files. Path Traversal vulnerabilities occur when an application does not properly sanitize user input, allowing an attacker to manipulate file paths to access files and directories outside the intended scope. In this case, the flaw enables unauthorized access to the underlying operating system's file structure, potentially exposing sensitive configuration files, user credentials, or other critical data. This vulnerability is particularly severe due to its high CVSS score, indicating a significant risk to affected systems.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage a crafted HTTP request to manipulate the file path parameters, allowing them to navigate to restricted directories. For instance, by using sequences such as "../", an attacker could access files that should be protected from public access. Once the attacker gains access to sensitive files, they could extract information such as configuration settings or user credentials, which could then be used to escalate privileges or gain unauthorized access to the device or network. This exploitation could be executed remotely, making it particularly dangerous for organizations with exposed UniFi OS devices.
The real-world impact of this vulnerability is substantial, especially for businesses relying on UniFi OS for network management. Successful exploitation could lead to unauthorized access to critical systems, data breaches, and potential service disruptions. The compromised data could include sensitive customer information, internal communications, or proprietary business data, all of which could result in financial losses, reputational damage, and regulatory penalties. Moreover, the ability to manipulate underlying accounts could lead to further exploitation within the network, allowing attackers to pivot to other systems and escalate their attack. The consequences of such breaches can be devastating, affecting not only the immediate organization but also its customers and partners.
To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching UniFi OS devices is essential to ensure that any known vulnerabilities are addressed promptly. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests that attempt to exploit Path Traversal vulnerabilities. Organizations should also conduct regular security assessments and penetration testing to identify and remediate potential weaknesses in their systems. Implementing strict access controls and monitoring network traffic for unusual patterns can further enhance security, allowing organizations to detect and respond to potential exploitation attempts in real-time.
In conclusion, the Path Traversal vulnerability in UniFi OS devices poses a significant threat to organizations, with the potential for severe consequences if exploited. Understanding the technical details, attack vectors, and real-world impacts is crucial for cybersecurity professionals tasked with protecting their networks. By adopting proactive detection and mitigation strategies, organizations can reduce their risk and safeguard their critical assets against this and similar vulnerabilities.
Affected Products (32)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Ui | Unifi Os Server | All |
cpe:2.3:a:ui:unifi_os_server:*:*:*:*:*:*:*:*
|
|
|
Ui | Enterprise Fortress Gateway Firmware | All |
cpe:2.3:o:ui:enterprise_fortress_gateway_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Enterprise Network Video Recorder Core Firmware | All |
cpe:2.3:o:ui:enterprise_network_video_recorder_core_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Enterprise Network Video Recorder Firmware | All |
cpe:2.3:o:ui:enterprise_network_video_recorder_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unas 2 Firmware | All |
cpe:2.3:o:ui:unas_2_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unas 4 Firmware | All |
cpe:2.3:o:ui:unas_4_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unas Pro 4 Firmware | All |
cpe:2.3:o:ui:unas_pro_4_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unas Pro 8 Firmware | All |
cpe:2.3:o:ui:unas_pro_8_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unas Pro Firmware | All |
cpe:2.3:o:ui:unas_pro_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloud Gateway Fiber Firmware | All |
cpe:2.3:o:ui:unifi_cloud_gateway_fiber_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloud Gateway Industrial Firmware | All |
cpe:2.3:o:ui:unifi_cloud_gateway_industrial_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloud Gateway Max Firmware | All |
cpe:2.3:o:ui:unifi_cloud_gateway_max_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloud Gateway Ultra Firmware | All |
cpe:2.3:o:ui:unifi_cloud_gateway_ultra_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloud Key Plus Firmware | All |
cpe:2.3:o:ui:unifi_cloud_key_plus_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloudkey Enterprise Firmware | All |
cpe:2.3:o:ui:unifi_cloudkey_enterprise_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Cloudkey Firmware | All |
cpe:2.3:o:ui:unifi_cloudkey_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Dream Machine Beast Firmware | All |
cpe:2.3:o:ui:unifi_dream_machine_beast_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Dream Machine Firmware | All |
cpe:2.3:o:ui:unifi_dream_machine_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Dream Machine Pro Firmware | All |
cpe:2.3:o:ui:unifi_dream_machine_pro_firmware:*:*:*:*:*:*:*:*
|
|
|
Ui | Unifi Dream Machine Pro Max Firmware | All |
cpe:2.3:o:ui:unifi_dream_machine_pro_max_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
10 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Sighting activity recorded
Sighting activity recorded
Active exploitation confirmed — vendor: Ubiquiti, product: UniFi OS
Sighting activity recorded
Sighting activity recorded
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Highlighted stages are those attackers typically reach when exploiting this CVE. Heuristic based on CWE families — refined by ML classifier when available.
Attack Vectors ML
MITRE ATT&CK Techniques (0)
Techniques are derived from this CVE's kill chains once ML classification completes.
CAPEC Attack Patterns ML
Red Team Playbook
Executable commands will be auto-mapped to each ATT&CK technique of this CVE.
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (4)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2026-34909 |
| community.ui.com |
GitHub CVE
|
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34909 |
| pwndefend.com |
NVD API
Exploit
Third Party Advisory
|
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/ |