CISA warns of actively exploited vulnerabilities in Ubiquiti UniFi OS. Three CVEs allow network takeover—apply the patch by June 26, 2026.
CISA has added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog and issued a warning that at least one of them is being actively exploited in real-world attacks. Federal agencies and UniFi infrastructure operators have been given a deadline to deploy patches: June 26, 2026, in accordance with Binding Operational Directive (BOD) 26-04.
Ubiquiti UniFi is a widely used network management platform employed by thousands of organizations, including small and medium-sized businesses, across Europe.
Three Vulnerabilities That Can Be Chained
The most severe vulnerability, CVE-2026-34908, stems from improper access control in UniFi OS. An attacker with network access can modify the system configuration, disable security controls, or manipulate network traffic without authorization—and without needing valid login credentials.
CISA also highlighted two additional vulnerabilities that can be chained with CVE-2026-34908 to achieve deeper compromise:
- CVE-2026-34909 — a path traversal vulnerability allowing the reading or manipulation of files on the system, which could lead to account takeover
- CVE-2026-34910 — improper input validation allowing command injection and the execution of arbitrary code on the device
Although CISA has not yet confirmed a link to ransomware campaigns, it classifies the exploitation status of CVE-2026-34910 as “unknown” and notes that the type of access these vulnerabilities provide aligns with common techniques used by ransomware groups.
What is the actual impact?
After compromising a UniFi controller or gateway, attackers can:
- pivot into the internal network
- collect login credentials
- manipulate network traffic
- facilitate data theft or other destructive attacks
Environments where the UniFi management interface is accessible from untrusted networks or directly from the Internet are particularly at risk.
What to Do
CISA recommends taking immediate action in accordance with the manufacturer’s instructions and BOD 26-04:
- Apply patches according to the latest Ubiquiti vendor guidance—the deadline is June 26, 2026
- Check for exposure—verify whether the UniFi management interface is accessible from the internet or untrusted networks
- Restrict access to the management interface to trusted networks and VPNs only
- Retain logs in case forensic analysis is required
- For cloud-hosted UniFi deployments, follow Section BOD 26-04 regarding cloud services; consider temporarily taking the system offline if the patch is not available in time
