CVE-2026-34910

CRITICAL CISA KEV TTE 18d Pub 22/05 Upd 24/06

Overview

This vulnerability is a command injection flaw resulting from improper input validation in UniFi OS Server and related UniFi firmware components. The root cause lies in the failure to sanitize user-supplied input before passing it to system-level command execution functions. Affected components include UniFi OS Server and multiple UniFi device firmware versions, where network-accessible interfaces process untrusted input without adequate validation.

Vulnerability Description

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

Impact

An unauthenticated attacker with network access can execute arbitrary system commands on affected UniFi devices, resulting in full system compromise. This enables unauthorized control over device operations, potential data exfiltration, lateral movement within the network, and disruption of network services. The attack requires no user interaction or valid credentials, making it highly exploitable in exposed network environments.

Solution

Ubiquiti has released Security Advisory Bulletin 064 addressing this issue for UniFi OS Server and related firmware. Administrators should apply the latest firmware updates as specified in the advisory available at https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b. The advisory provides detailed patch versions and upgrade instructions for affected UniFi devices to mitigate this vulnerability.

EPSS vs KEV Prediction — Evolution (30 days)

Full Analysis

The vulnerability in question stems from improper input validation within UniFi OS devices, which can lead to command injection attacks. This type of vulnerability occurs when an application fails to adequately sanitize user input, allowing an attacker to execute arbitrary commands on the host operating system. In the case of UniFi OS, the flaw can be exploited by an attacker who has already gained access to the network, enabling them to manipulate system commands and potentially gain elevated privileges. The severity of this vulnerability is underscored by its perfect CVSS score, indicating a critical risk to the integrity and availability of affected systems.

Attack vectors for this vulnerability are particularly concerning due to the requirement for network access, which may not seem overly restrictive. However, once an attacker is on the network, they can leverage various methods to exploit the flaw. For instance, they could craft specially formatted requests that bypass input validation checks, allowing them to inject malicious commands. This could be executed through various interfaces exposed by the UniFi OS, such as web applications or APIs. The potential for exploitation is further exacerbated by the fact that many organizations may not have adequate segmentation or monitoring in place, allowing attackers to move laterally within the network undetected.

The real-world impact of such a vulnerability can be devastating for organizations relying on UniFi OS devices. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even complete takeover of the affected systems. The business risks associated with such incidents include financial losses, reputational damage, and potential legal ramifications stemming from data breaches. Moreover, the critical nature of the vulnerability means that it could be quickly exploited by threat actors, leading to widespread compromise before organizations have a chance to respond.

To effectively detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, network segmentation is crucial to limit access to sensitive systems and reduce the attack surface. Employing intrusion detection systems (IDS) can help identify anomalous behavior indicative of exploitation attempts. Regularly updating and patching UniFi OS devices is essential to ensure that any known vulnerabilities are addressed promptly. Additionally, organizations should conduct regular security assessments and penetration testing to identify potential weaknesses in their configurations and defenses.

In conclusion, the improper input validation vulnerability in UniFi OS devices presents a significant threat to organizations that utilize these systems. The potential for command injection attacks poses a serious risk, particularly for those without robust security measures in place. By understanding the technical details, attack vectors, and real-world implications of this vulnerability, organizations can better prepare themselves to defend against potential exploitation. Implementing effective detection and mitigation strategies will be key in safeguarding against the risks associated with this critical flaw.




CSURFACE threat intelligence has detected a notable surge in exploitation attempts targeting the CVE-2026-34910 vulnerability in UniFi OS devices. This increase in activity, reflected by a marked rise in telemetry signals, indicates growing adversary interest and potential weaponization despite a slight decline in the EPSS score. The divergence between rising detection trends and a modestly decreasing EPSS suggests that while exploit attempts are becoming more frequent, the overall likelihood of widespread exploitation may be stabilizing or shifting in attacker tactics. For defenders, this heightened activity underscores the urgency of maintaining vigilant monitoring and reinforces the criticality of this vulnerability within operational environments. The evolving exploitation landscape, absent new proof-of-concept exploits but characterized by increased reconnaissance or attack attempts, elevates the threat level from a static critical risk to a more dynamic and active threat scenario.

Affected Products (31)

Vendor Product Version CPE
ui Ui Unifi Os Server All cpe:2.3:a:ui:unifi_os_server:*:*:*:*:*:*:*:*
ui Ui Enterprise Fortress Gateway Firmware All cpe:2.3:o:ui:enterprise_fortress_gateway_firmware:*:*:*:*:*:*:*:*
ui Ui Enterprise Network Video Recorder Core Firmware All cpe:2.3:o:ui:enterprise_network_video_recorder_core_firmware:*:*:*:*:*:*:*:*
ui Ui Enterprise Network Video Recorder Firmware All cpe:2.3:o:ui:enterprise_network_video_recorder_firmware:*:*:*:*:*:*:*:*
ui Ui Unas 2 Firmware All cpe:2.3:o:ui:unas_2_firmware:*:*:*:*:*:*:*:*
ui Ui Unas 4 Firmware All cpe:2.3:o:ui:unas_4_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro 4 Firmware All cpe:2.3:o:ui:unas_pro_4_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro 8 Firmware All cpe:2.3:o:ui:unas_pro_8_firmware:*:*:*:*:*:*:*:*
ui Ui Unas Pro Firmware All cpe:2.3:o:ui:unas_pro_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Fiber Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_fiber_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Industrial Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_industrial_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Max Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_max_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Gateway Ultra Firmware All cpe:2.3:o:ui:unifi_cloud_gateway_ultra_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloud Key Plus Firmware All cpe:2.3:o:ui:unifi_cloud_key_plus_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloudkey Enterprise Firmware All cpe:2.3:o:ui:unifi_cloudkey_enterprise_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Cloudkey Firmware All cpe:2.3:o:ui:unifi_cloudkey_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Beast Firmware All cpe:2.3:o:ui:unifi_dream_machine_beast_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Firmware All cpe:2.3:o:ui:unifi_dream_machine_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Pro Firmware All cpe:2.3:o:ui:unifi_dream_machine_pro_firmware:*:*:*:*:*:*:*:*
ui Ui Unifi Dream Machine Pro Max Firmware All cpe:2.3:o:ui:unifi_dream_machine_pro_max_firmware:*:*:*:*:*:*:*:*
+11 additional CPEs

Exploits

No exploits found for this CVE.

Exploited in Wild CONFIRMED
Ransomware NOT ASSOCIATED
Attacker Interest MEDIUM
Sightings Some sightings

Threat Feed

12 events
2026-07-08
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-06
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-02
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-07-01
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-25
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-23
Threat Sensor Sighting — Some sightings

Sighting activity recorded

2026-06-23
Added to CISA KEV Catalog

CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog

2026-06-19
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-06-09
Detected as Exploited in the Wild

Active exploitation confirmed — vendor: Ubiquiti, product: UniFi OS

2026-05-27
Threat Sensor Sighting — Few sightings

Sighting activity recorded

2026-05-26
Threat Sensor Sighting — Few sightings

Sighting activity recorded

Likely Kill Chain

Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.

Applicable Out of scope
Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Priv. Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Lateral Movement
TA0008
Collection
TA0009
Impact
TA0040

Highlighted stages are those attackers typically reach when exploiting this CVE. Heuristic based on CWE families — refined by ML classifier when available.

Attack Vectors ML

OS Command Injection
89% command_injection
Remote Code Execution
80% rce
Improper Input Validation
65% input_validation

MITRE ATT&CK Techniques (0)

ATT&CK techniques pending

Techniques are derived from this CVE's kill chains once ML classification completes.

CAPEC Attack Patterns ML

ID Name ML Conf. Likelihood Severity Link
CAPEC-101 Server Side Include (SSI) Injection
55%
High High
CAPEC-88 OS Command Injection
55%
High High
CAPEC-14 Client-side Injection-induced Buffer Overflow
54%
Medium High
CAPEC-9 Buffer Overflow in Local Command-Line Utilities
52%
High High
CAPEC-22 Exploiting Trust in Client
51%
High High

Red Team Playbook

AtomicRedTeam integration in progress

Executable commands will be auto-mapped to each ATT&CK technique of this CVE.

Detection & Response Rules

No detection or response rules found for this CVE.

No news articles found for this CVE.

References (4)

Title Tags URL
nvd.nist.gov
NVD reference
https://nvd.nist.gov/vuln/detail/CVE-2026-34910
community.ui.com
GitHub CVE
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
cisa.gov
NVD API
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34910
pwndefend.com
NVD API
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/