Ubiquiti Issues Patches for Critical UniFi OS Privilege Escalation Vulnerabilities

Ubiquiti Networks has released emergency security updates addressing five critical vulnerabilities in its UniFi OS platform, three of which carry the maximum possible CVSS v3.1 score of 10.0.

The flaws expose a wide range of enterprise and prosumer hardware to attacks that enable unauthenticated remote code execution, path traversal, and privilege escalation.

Affected product lines include the UniFi Cloud Gateway (UCG) series, UniFi Dream Machine (UDM) appliances, UniFi Network Video Recorders (UNVR), and the core UniFi OS Server software, all of which are commonly deployed at the edge of corporate networks.

Successful exploitation could hand threat actors direct access to internal network segments, connected endpoints, and sensitive infrastructure data.

Multiple UniFi Vulnerabilities patched

The most dangerous vulnerability in this batch, CVE-2026-34908, was discovered by researcher Duc Anh Nguyen (@heckintosh_) and involves an improper access control weakness.

An attacker with only basic network access can make sweeping, unauthorized changes to the underlying UniFi operating system without providing any authentication credentials.

CVE-2026-34909, identified by Abdulaziz Almadhi of Catchify Security, is a path traversal vulnerability that allows unauthenticated remote attackers to navigate the device file system and read sensitive host files.

Those files can subsequently be manipulated to achieve unauthorized access to underlying system accounts, resulting in full device compromise.

The third maximum-severity issue, CVE-2026-34910, was reported by John Carroll and stems from improper input validation within the UniFi OS environment.

Network-adjacent or remote attackers can exploit this flaw to inject and execute arbitrary system-level commands, achieving complete control over the targeted appliance without prior authentication.

Ubiquiti also patched two additional vulnerabilities that, while requiring some level of prior authentication, still pose serious risks to enterprise environments.

CVE-2026-33000 (CVSS 9.1), discovered by researcher V3rlust, allows highly privileged attackers to exploit improper input validation for authenticated command injection.

This flaw primarily serves as a post-compromise persistence or privilege-escalation mechanism for threat actors who have already gained access to an administrative account.

CVE-2026-34911 (CVSS 7.7), uncovered by Hakai Security, is a high-severity path-traversal bug that requires low-level authentication.

Once inside, attackers can navigate outside restricted directories to access sensitive system files, enabling lateral movement and data exfiltration across the compromised environment.

Firmware Versions

Ubiquiti has published comprehensive patches across its hardware ecosystem. Administrators should apply the following updates immediately:

• UCG-Industrial, UDM series, UNVR variants, and select UCG models — upgrade to firmware Version 5.1.12 or later
• UDR-5G, ENVR-Core, and UCK enterprise models — update to Version 5.1.12
• UniFi OS Server (standalone deployments) — update to Version 5.0.8 or later
• UNAS network-attached storage series — patched in Version 5.1.10
• Express models — update to Version 4.0.14

Given that these devices typically sit at network perimeters, the combination of zero-authentication command injection and path traversal bugs makes internet-exposed management interfaces prime targets for opportunistic botnets, ransomware affiliates, and advanced persistent threat groups seeking initial access vectors.

Network administrators must immediately apply available patches and ensure management interfaces are strictly segregated from public internet access.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.

The post Ubiquiti Issues Patches for Critical UniFi OS Privilege Escalation Vulnerabilities appeared first on Cyber Security News.