Three Max-Severity Bugs Chain to Root on the Box That Runs Your Whole Network. Ubiquiti UniFi OS Is on the KEV List.

We keep coming back to the same shape, because attackers keep coming back to it. The highest-value box on an enterprise network is rarely a server full of data. It is the box that controls the other boxes — the SD-WAN manager, the PLM design authority, the network controller. Compromise the brain and you do not have to break in anywhere else. The brain pushes config to everything downstream.

This week it is Ubiquiti's turn. CISA added three UniFi OS vulnerabilities to the Known Exploited Vulnerabilities catalog, all rated maximum severity, all confirmed exploited.

Three Bugs, One Chain

Individually these are bad. Chained, they are a full remote-code-execution path that a network-positioned attacker can walk end to end.

CVE-2026-34908 is an access-control bypass. It lets an attacker make changes they should not be authorized to make — the foothold that turns "outside" into "inside."

CVE-2026-34909 is a path traversal. It exposes sensitive files on the underlying system, and critically, that includes credentials. This is the rung in the ladder that turns limited access into the keys.

CVE-2026-34910 is improper input validation that allows command injection — arbitrary commands executed on the device.

Researchers at Bishop Fox demonstrated the full chain: stitch the three together and you get remote code execution with elevated privileges on a vulnerable UniFi OS device. Access bypass to get in, traversal to harvest the credentials, command injection to run code as the system. Each bug hands the next one what it needs.

Why a UniFi Controller Is Worth the Effort

UniFi OS is not a single access point. It is the controller plane — the appliance that centrally manages the switches, gateways, and access points across a deployment. A lot of mid-market companies, branch offices, and managed-service providers run their entire network estate from one of these.

That centralization is the prize. RCE on the controller is not RCE on one device. It is a position that sees and configures the whole fabric, which means it is a launch pad for lateral movement into everything the network touches. The same logic that made Cisco Catalyst SD-WAN Manager a seven-zero-day target this year applies here: when one box is the authority for many, the authority is what gets hunted.

The Timeline Tells the Real Story

Ubiquiti shipped fixes for all three in May. CISA added them to the KEV catalog on June 23 and, under Binding Operational Directive 26-04, gave federal civilian agencies three days to patch. CISA has not published exploitation details or indicators of compromise — only the active-exploitation flag, which is the part that matters.

Sit with the gap. The patch existed in May. The active-exploitation listing came in late June. Everyone who applied the May update is fine. Everyone who treated a network-appliance firmware update as a someday task spent five-plus weeks running a known, now-weaponized RCE chain on the most centralized box they own. That window — patch-available to patch-applied — is the entire game, and network gear is where it stays open longest, because nobody wants to reboot the thing that runs the network.

What To Do This Morning

Update UniFi OS to the May release or later — that is the fix. If you cannot patch immediately, get the management interface off any untrusted network and restrict it to a hardened admin VLAN or VPN, because the chain starts with network-reachable access control.

Then treat the controller as suspect rather than assume the patch saved you. The path-traversal bug leaks credentials, so if you were exposed before patching, assume the credentials on and reachable from that device are burned: rotate UniFi admin credentials, rotate anything else that lived on or authenticated through the controller, and review configuration changes and new accounts on the device against the date you actually applied the update. Code execution comes first; persistence is what they install once they are in.

CISA gave three days. The bug had a five-week head start. Patch the brain, then check whether anyone already used it.

Sources: BleepingComputer (cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks), CISA KEV alert June 23 2026, Bishop Fox research, The Hacker News.

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.