MCNC Logo
05.22.2026

(Critical) Ubiquiti Discloses Max Severity Vulnerabilities in UniFi OS (Advisory 064)

Alert
  • facebook share link
  • twitter share link
  • linkedin share link
  • mail share link

Date of Notice: 05/22/2026

Action Level - Critical

Description

Ubiquiti has released Security Advisory Bulletin 064 detailing several severe vulnerabilities affecting UniFi OS, including three with maximum CVSS scores of 10.0. If exploited, these flaws allow unauthenticated remote attackers to make unauthorized system changes, access underlying system files, and execute command injections. Administrators are strongly urged to review the vendor advisories and update all affected UniFi devices immediately to secure their IT infrastructure from total compromise.

Affected Devices

All of the following versions:

UniFi OS Server: Version 5.0.6 and earlierUCG-Industrial: Version 5.0.13 and earlier

UDM suite, UDW, UDR, UDR7, Express 7, UNVR suite, ENVR, UCG suite, and EFG: Version 5.0.16 and earlier

UDR-5G, ENVR-Core, and UCK suite: Version 5.0.17 and earlier

UNVR-G2 and UNVR-G2-Pro: Version 5.1.11 and earlier

UDM-Beast and UNAS suite: Version 5.1.8 and earlier

Attack Vector

All attack vectors are network reachability based. Internet-exposed devices should be prioritized.

CVE-2026-34908 (CVSS 10.0): An Improper Access Control vulnerability enabling unauthorized changes to targeted systems.

CVE-2026-34909 (CVSS 10.0): A Path Traversal vulnerability allowing attackers to access files on the underlying system.

CVE-2026-34910 (CVSS 10.0): Improper Input Validation vulnerabilities allowing malicious actors to execute command injections.

CVE-2026-33000 (CVSS 9.1): Improper Input Validation vulnerabilities allowing malicious actors with high privileges to execute command injections.

CVE-2026-34911 (CVSS 7.7): A Path Traversal vulnerability allowing attackers with low privileges to access underlying files.

Attack Feasibility

It has not been publicly disclosed whether these vulnerabilities are being actively exploited in the wild, and there are currently no publicly available proof-of-concept (PoC) exploits.

Mitigations

None.

Remediations

Apply the latest firmware updates provided by Ubiquiti immediately:

Update UNAS suite to Version 5.1.10 or later.

Update UniFi OS Server to Version 5.0.8 or later.

Update UCG-Industrial, UDM suite, UDW, UDR suite, Express 7, UNVR suite (including G2), ENVR suite, UCG suite, UCK suite, and EFG to Version 5.1.12 or later.

Update UDM-Beast to Version 5.1.11 or later.

Reference Links

<-- Return to Cybersecurity Alerts...

MCNC
3021 East Cornwallis Road
Durham, NC 27713- 2852
919-248-1900 Phone | 919-248-1101 Fax
Connect With Us
  • linkedin
  • instagram
  • x
  • facebook
  • youtube
© 2026 MCNC