Ubiquiti has released security updates to patch three maximum severity vulnerabilities in Unify OS that can be exploited by remote attackers without privileges.

UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect.

The first flaw (CVE-2026-34908) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness in Unify OS, while the second (CVE-2026-34909) allows them to access files on the underlying system by abusing a Path Traversal vulnerability, which could be manipulated to access an underlying account.

A third maximum severity security issue (CVE-2026-34910) makes it possible for malicious actors to launch a command injection attack after gaining network access by exploiting an Improper Input Validation vulnerability.

On Thursday, Ubiquiti also patched a second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure (CVE-2026-34911), both affecting Unifi OS devices.

Ubiquiti has yet to disclose whether any of the five vulnerabilities were exploited in the wild before disclosure, but shared that they can be exploited in low-complexity attacks and were reported through its HackerOne bug bounty program.

At the moment, threat intelligence company Censys is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States.

However, there is currently no information on how many have been secured against potential attacks targeting the vulnerabilities Ubiquiti patched this week.

​In March, Ubiquiti patched another maximum-severity flaw (CVE-2026-22557) in the UniFi Network Application that may allow attackers to take over user accounts, as well as a vulnerability (CVE-2026-22558) that can be exploited to escalate privileges.

Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals in recent years, in campaigns that hijacked them to build botnets that concealed the threat actors' malicious activity.

For instance, in February 2024, the FBI took down Moobot, a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies.

Four years ago, in April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added a critical command injection flaw (CVE-2010-5330) in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure their devices within three weeks.