```html ``` Three Perfect-10 Bugs in UniFi OS Are Being Exploited to Mint Rogue Admins. It's the Gear Half the Small Offices in America Run — and We Told You Its Clean Look Was Hiding Something.
top of page

Three Perfect-10 Bugs in UniFi OS Are Being Exploited to Mint Rogue Admins. It's the Gear Half the Small Offices in America Run — and We Told You Its Clean Look Was Hiding Something.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 18 hours ago
  • 3 min read

Ubiquiti's UniFi gear is everywhere. It runs the network in dentist offices, small law firms, coffee shops, church basements, and about half the home labs of everyone reading this. It is beloved because the interface is clean and it just works. Three vulnerabilities in UniFi OS now carry a CVSS score of 10.0 apiece, the maximum, and attackers are chaining them to create their own administrator accounts on other people's networks. CISA put all three on its Known Exploited Vulnerabilities catalog. This is being used in the wild right now.



The three bugs, and why they are worse together


Each of the three is dangerous alone. Together they are a full takeover.


CVE-2026-34909 is a path traversal flaw. It lets an attacker on the network reach files on the underlying system that were never meant to be reachable, and from those files reach an account. CVE-2026-34910 is an improper input validation flaw that allows command injection, which is the polite term for running your own commands on the device. CVE-2026-34908 is an improper access control flaw that lets a malicious actor make unauthorized changes to the system. Read them in order and you can see the attack: traverse to a file that gets you into an account, inject the commands you want, then change what you please. The reported outcome matches the theory. Victims are finding administrator accounts on their UniFi consoles that they never created.



Who this actually hurts


This is the part the enterprise coverage will skip, so we will not. The organizations running UniFi are mostly the ones without a security team. That is the whole appeal of the product. A small business buys UniFi precisely because it does not employ someone to babysit a Cisco fabric. So the population most exposed to three actively-exploited perfect-10 bugs is the population least equipped to notice a rogue admin account appeared over the weekend. The vendors who sell six-figure detection platforms are not calling these people. Nobody is.



We flagged the surface last week


We are going to point at our own receipt, because it landed before the exploitation news did. Last week we published a post arguing that UniFi's clean, friendly interface hides a real attack surface, and that the very thing that makes it approachable for non-experts is what makes it dangerous when a flaw shows up. That was the general argument. This is the specific proof. Three tens, chained, in the wild, minting admins. The surface we described is the one being walked across right now.



What to do this weekend, not next quarter


Update your UniFi OS to the latest version today. Ubiquiti patched these last month, so the fix exists and the only thing standing between you and it is the update you have been putting off. Then do the thing the patch cannot do for you: open your UniFi console, go to the admin users list, and read every name on it. If there is an account you do not recognize, you were already hit, and the patch closes the door with the intruder still inside. Remove it, rotate every credential, and check for changes to firewall rules and port forwards. If your management interface is reachable from the public internet, put it behind a VPN or lock it to known addresses, because a network-reachable bug is only as dangerous as the network that can reach it.


We cap our certainty at 95 percent, and here the missing five points are about counting. Ubiquiti and CISA have confirmed the flaws and the exploitation. Neither has published how many consoles were compromised before the patches went on, and given who runs this gear, a lot of those rogue accounts are sitting on networks where nobody has looked yet. Go look at yours.




Every indicator in this post is in the feed. Free.

1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.


bottom of page