Researchers at Bishop Fox confirmed that multiple flaws in Ubiquiti UniFi OS Server can be chained into unauthenticated remote code execution that yields full root access on exposed systems. The attack combines an authentication bypass and path traversal in the Nginx/unifi-core request flow—tracked as CVE-2026-34908 and CVE-2026-34909—with a command injection bug in the package-update service, CVE-2026-34910, and can be triggered through a reachable web request against internet-facing management interfaces. Researchers said the chain was validated end-to-end and can also leverage overly permissive sudo rights to complete privilege escalation.
Successful exploitation can expose stored secrets, enable forged administrative sessions that may persist after patching, and create downstream risk for managed network gear, door-access systems, and surveillance cameras connected through the platform. Ubiquiti said fixes were released in patched UniFi OS Server versions, including protections such as URI normalization, stricter package-name validation, removal of shell-based backend behavior, and reduced passwordless sudo permissions. Defenders are being urged to patch immediately, rotate credentials and secrets, review systems for signs of prior compromise, and limit or remove public exposure of UniFi management interfaces.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
On 2026-06-10, Ubiquiti published a security advisory covering vulnerabilities across multiple UniFi and related products, including UID Enterprise Agent, UniFi OS devices and consoles, UniFi OS Server, UDM-Beast, UNAS models, and Express. The advisory identified affected version ranges and directed users to apply the necessary updates.
Bishop Fox released a detection script to help defenders identify UniFi OS Server instances exposed to the patched vulnerability chain. The researchers advised upgrading to UniFi OS Server 5.0.8 or later and investigating systems for signs of compromise.
Bishop Fox confirmed that multiple UniFi OS Server vulnerabilities could be chained into unauthenticated remote code execution leading to full root access. The researchers validated the chain end-to-end and reported impacts including exposed secrets, forged persistent administrative sessions, and potential compromise of managed devices.
Ubiquiti fixed the vulnerability chain in UniFi OS Server by adding URI-normalization protections, package-name validation, and reducing passwordless sudo permissions. One source identifies the fixed version as 3.2.12, while another reports fixes in version 5.0.8.
Ubiquiti disclosed Security Advisory Bulletin SAB-013 covering five vulnerabilities across the UniFi OS device family. The key flaws included issues that could be chained for unauthenticated remote code execution and were described as critical.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecyber.gc.ca
Open sourcegithub.com
Open sourcescworld.com
Open sourcecybersecuritynews.com
Open sourcebleepingcomputer.com
Open sourcebishopfox.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.