Ubiquiti has patched a chain of three maximum-severity vulnerabilities in UniFi OS Server that together hand an unauthenticated remote attacker a root shell — no credentials required at any step. CISA added all three to its Known Exploited Vulnerabilities catalog on June 23, 2026, with a three-day remediation deadline for federal agencies, as Mirai and Gaafgyt botnet campaigns are actively scanning for and exploiting unpatched devices.
The vulnerability chain
The three CVEs were disclosed May 21 in Ubiquiti Security Advisory Bulletin SAB-064. Each carries a CVSS 3.1 base score of 10.0.
| CVE | Type | CVSS | Description |
|---|---|---|---|
| CVE-2026-34908 | Improper access control | 10.0 | Nginx auth-exempt route bypass |
| CVE-2026-34909 | Path traversal | 10.0 | Normalized-URI escape from auth gate |
| CVE-2026-34910 | Command injection | 10.0 | Unsanitized package name shelled to OS |
Stage 1 — Auth bypass (CVE-2026-34908 + CVE-2026-34909): UniFi OS Server’s Nginx authentication handler evaluates the raw, percent-encoded request URI when deciding whether a route requires authentication. But Nginx’s upstream proxy selection operates on the normalized URI, where %2F decodes to / and traversal sequences collapse. An attacker can craft a request prefixed with the auth-exempt path /api/auth/validate-sso/ while embedding a URL-encoded traversal sequence that normalizes to a fully authenticated internal API route. The authentication gate sees the exempt prefix and waves the request through; the backend receives the decoded, authenticated path.
Bishop Fox, which discovered and reported the flaw, demonstrated the discrepancy with a single crafted HTTP request and published a safe detection tool on GitHub.
Stage 2 — Root command injection (CVE-2026-34910): Once past the auth gate, attackers reach the package-update endpoint. This endpoint accepts a caller-supplied package name, builds a shell command string by concatenating that name without sanitization, and executes it via a shell. Worse, the service runs with sudo NOPASSWD privileges, so injecting ;id or a reverse shell payload into the package name yields immediate OS-level root.
Bishop Fox researchers confirmed the full three-CVE chain produces unauthenticated root code execution and published a detailed walkthrough on June 1, 2026.
Affected products and scope
The vulnerability affects UniFi OS Server versions prior to 5.0.8 — the operating system layer that runs on Ubiquiti’s Cloud Gateway and Dream Machine appliances (UCG-Ultra, UDM-Pro, UDR, and related hardware). This is distinct from the UniFi Network Application software layer. Both small-business deployments and large multi-site enterprise environments with Dream Machines centrally managed are affected.
Shodan scans around the time of CISA’s KEV addition showed several thousand UniFi OS Server management interfaces exposed directly to the internet. Given the appliances’ typical deployment at network perimeters, a successful exploit gives an attacker a foothold with root privileges at the network edge, from which lateral movement or traffic interception is trivial.
Active exploitation has been confirmed by multiple threat intelligence teams. The exploiting malware families — Mirai and Gaafgyt variants — primarily recruit devices into DDoS botnets, but the same unauthenticated root shell is equally useful for more targeted post-exploitation.
Mitigation
- Upgrade immediately to UniFi OS Server 5.0.8 or later via the UniFi OS console (Settings → Updates → Update). The update is delivered OTA and typically requires only a brief reboot.
- Restrict management access. The UniFi OS web console should not be reachable from the internet. If remote management is needed, gate it behind a VPN or restrict to specific source IPs using the device’s firewall rules.
- Check for compromise indicators. Unusual outbound connections to non-Ubiquiti IPs, unexpected cron jobs or binaries in
/tmp, and anomalous process names (common in Mirai infections) are all worth hunting for on devices that were internet-exposed before patching. - FCEB agencies were required to remediate by June 26, 2026 under BOD 26-04.
References
- Ubiquiti SAB-064 — Security Advisory Bulletin 064
- Bishop Fox: Popping Root on UniFi OS Server — Unauthenticated RCE Chain Detection & Analysis
- CISA KEV: CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 — June 23, 2026
- BleepingComputer: Critical UniFi OS bug lets hackers gain root without authentication
- SecurityWeek: Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs
- GitHub: BishopFox/CVE-2026-34908-check — Safe detection scanner