VULNERABILITY OVERVIEW
CVE-2026-34908 is the anchor of a three-CVE chain (with CVE-2026-34909 and CVE-2026-34910) that yields a fully unauthenticated reverse shell with root privileges on any UniFi OS device. BishopFox confirmed the bypass roots in NGINX processing of crafted requests that resolve auth-exempt prefixes to authenticated internal routes; the command-injection stage exploits unsanitized package names in the update handler. CISA added all three to KEV on June 23, 2026, with a federal remediation deadline of June 26, 2026 (today); Defused Cyber observed in-the-wild exploitation deploying commodity malware, and a public PoC chaining all three is available on GitHub.
CVSS BREAKDOWN
↗
Attack Vector
NETWORK
△
Attack Complexity
LOW
⚷
Privs Required
NONE
◈
User Interaction
NONE
⊕
Scope / Impact
CHANGED
C:H · I:H · A:H
AFFECTED VERSIONS
UniFi OS < 5.0.8 (Server); < 5.1.12 (most devices); < 5.1.10 (UNAS); < 5.1.11 (UDM-Beast)CITATIONS
- → CISA KEV – June 23 2026: https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
- → Ubiquiti Security Advisory Bulletin 064: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- → SecurityWeek – Critical Ubiquiti Vulnerabilities in Attackers' Crosshairs: https://www.securityweek.com/critical-ubiquiti-vulnerabilities-in-attackers-crosshairs/
- → The Hacker News – CISA Warns Critical Lantronix EDS5000 Flaw: https://thehackernews.com/2026/06/cisa-warns-critical-lantronix-eds5000.html
- → SecurityOnline – CISA Adds Four Exploited Flaws to KEV: https://securityonline.info/cisa-kev-catalog-exploited-flaws/