CVE-2026-34909

CRITICAL CISA KEV TTE 18d Pub 22/05 Upd 24/06

Overview

This vulnerability is a Path Traversal flaw (CWE-22) in Ubiquiti UniFi OS Server and related firmware components. The root cause is insufficient validation of user-supplied file path inputs, allowing traversal sequences to access files outside the intended directory scope. The affected components include UniFi OS Server and various UniFi device firmware versions that handle file requests without proper sanitization.

Vulnerability Description

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

Impact

An attacker with network access can exploit this vulnerability without authentication to read sensitive files from the underlying operating system. This unauthorized file access may expose configuration files, credentials, or other sensitive data, potentially allowing further compromise of user accounts or system components. The breach of file system integrity can facilitate lateral movement within the network and escalate privileges, resulting in full system compromise or data exfiltration.

Solution

Ubiquiti released Security Advisory Bulletin 064 addressing this vulnerability. Users should update UniFi OS Server and all affected firmware, including UniFi Cloud Gateway Industrial, Dream Machine, Dream Machine Pro, and Dream Machine Special Edition, to the patched versions specified in the advisory. Detailed patch instructions and version information are available at https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b. Applying these updates is the recommended remediation to eliminate the path traversal issue.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in question is a critical Path Traversal flaw affecting UniFi OS devices, which allows an attacker with network access to traverse the file system and access sensitive files. Path Traversal vulnerabilities occur when an application does not properly sanitize user input, allowing an attacker to manipulate file paths to access files and directories outside the intended scope. In this case, the flaw enables unauthorized access to the underlying operating system's file structure, potentially exposing sensitive configuration files, user credentials, or other critical data. This vulnerability is particularly severe due to its high CVSS score, indicating a significant risk to affected systems.

Exploitation of this vulnerability can occur through various attack vectors. An attacker could leverage a crafted HTTP request to manipulate the file path parameters, allowing them to navigate to restricted directories. For instance, by using sequences such as "../", an attacker could access files that should be protected from public access. Once the attacker gains access to sensitive files, they could extract information such as configuration settings or user credentials, which could then be used to escalate privileges or gain unauthorized access to the device or network. This exploitation could be executed remotely, making it particularly dangerous for organizations with exposed UniFi OS devices.

The real-world impact of this vulnerability is substantial, especially for businesses relying on UniFi OS for network management. Successful exploitation could lead to unauthorized access to critical systems, data breaches, and potential service disruptions. The compromised data could include sensitive customer information, internal communications, or proprietary business data, all of which could result in financial losses, reputational damage, and regulatory penalties. Moreover, the ability to manipulate underlying accounts could lead to further exploitation within the network, allowing attackers to pivot to other systems and escalate their attack. The consequences of such breaches can be devastating, affecting not only the immediate organization but also its customers and partners.

To detect and mitigate this vulnerability, organizations should implement a multi-layered security approach. Regularly updating and patching UniFi OS devices is essential to ensure that any known vulnerabilities are addressed promptly. Additionally, employing web application firewalls (WAFs) can help filter out malicious requests that attempt to exploit Path Traversal vulnerabilities. Organizations should also conduct regular security assessments and penetration testing to identify and remediate potential weaknesses in their systems. Implementing strict access controls and monitoring network traffic for unusual patterns can further enhance security, allowing organizations to detect and respond to potential exploitation attempts in real-time.

In conclusion, the Path Traversal vulnerability in UniFi OS devices poses a significant threat to organizations, with the potential for severe consequences if exploited. Understanding the technical details, attack vectors, and real-world impacts is crucial for cybersecurity professionals tasked with protecting their networks. By adopting proactive detection and mitigation strategies, organizations can reduce their risk and safeguard their critical assets against this and similar vulnerabilities.

Affected Products (32)

Vendor Product Version CPE
ui Ui Unifi Os Server All cpe:2.3:a:ui:unifi_os_server:*:*:*:*:*:*:*:*
ui Ui Enterprise Fortress Gateway Firmware All cpe:2.3:o:ui:enterprise_fortress_gateway_firmware:*:*:*:*:*:*:*:*
ui Ui Enterprise Network Video Recorder Core Firmware All cpe:2.3:o:ui:enterprise_network_video_recorder_core_firmware:*:*:*:*:*:*:*:*
ui Ui Enterprise Network Video Recorder Firmware All cpe:2.3:o:ui:enterprise_network_video_recorder_firmware:*:*:*:*:*:*:*:*
ui Ui Unas 2 Firmware All cpe:2.3:o:ui:unas_2_firmware:*:*:*:*:*:*:*:*
ui Ui Unas 4 Firmware All cpe:2.3:o:ui:unas_4_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro 4 Firmware All cpe:2.3:o:ui:unas_pro_4_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro 8 Firmware All cpe:2.3:o:ui:unas_pro_8_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro Firmware All cpe:2.3:o:ui:unas_pro_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Fiber Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_fiber_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Industrial Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_industrial_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Max Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_max_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Ultra Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_ultra_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Key Plus Firmware All cpe:2.3:o:ui:unifi_cloud_key_plus_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloudkey Enterprise Firmware All cpe:2.3:o:ui:unifi_cloudkey_enterprise_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloudkey Firmware All cpe:2.3:o:ui:unifi_cloudkey_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Beast Firmware All cpe:2.3:o:ui:unifi_dream_machine_beast_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Firmware All cpe:2.3:o:ui:unifi_dream_machine_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Pro Firmware All cpe:2.3:o:ui:unifi_dream_machine_pro_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Pro Max Firmware All cpe:2.3:o:ui:unifi_dream_machine_pro_max_firmware:*:*:*:*:*:*:*:*
+12 additional CPEs

Exploits

No exploits found for this CVE.

Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Few sightings

Threat Feed

10 events
2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-04
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Some sightings

Sighting activity recorded

2026-06-23
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Detected as Exploited in the Wild

Active exploitation confirmed — vendor: Ubiquiti, product: UniFi OS

2026-05-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Highlighted stages are those attackers typically reach when exploiting this CVE. Heuristic based on CWE families — refined by ML classifier when available.

Attack Vectors ML

Path Traversal
100% path_traversal

MITRE ATT&CK Techniques (0)

ATT&CK techniques pending

Techniques are derived from this CVE's kill chains once ML classification completes.

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-126 Path Traversal
43%
High Very High
CAPEC-79 Using Slashes in Alternate Encoding
40%
High High
CAPEC-78 Using Escaped Slashes in Alternate Encoding
35%
High High
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
34%
High High
CAPEC-76 Manipulating Web Input to File System Calls
32%
High Very High

Red Team Playbook

AtomicRedTeam integration in progress

Executable commands will be auto-mapped to each ATT&CK technique of this CVE.

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (4)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2026-34909
community.ui.com
GitHub CVE
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
cisa.gov
NVD API US Government Resource
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34909
pwndefend.com
NVD API Exploit Third Party Advisory
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/