Ubiquiti Just Got 3 Perfect CVSS 10.0 Scores — 100,000 UniFi Devices Are Exposed Right Now
Table of Contents
Table of Contents
Three Perfect Scores, One Devastating Patch
On May 22, 2026, Ubiquiti released emergency security updates addressing five vulnerabilities in its UniFi Operating System — three of which carry the maximum possible CVSS score of 10.0. That’s not a typo. Three simultaneous perfect-severity vulnerabilities in one of the most popular networking platforms used by businesses, prosumers, and homelabbers worldwide.
All three allow unauthenticated remote exploitation, meaning attackers don’t need credentials, don’t need prior access, and don’t need user interaction. If your UniFi device is exposed to the network, it’s vulnerable. And according to Censys, nearly 100,000 UniFi OS endpoints are currently Internet-accessible.
The Five Vulnerabilities Explained
The patch addresses five CVEs total, ranging from high to maximum severity:
CVE-2026-34908 (CVSS 10.0) — Improper Access Control. CVE-2026-34909 (CVSS 10.0) — Path Traversal. CVE-2026-34910 (CVSS 10.0) — Command Injection via Improper Input Validation. CVE-2026-33000 (CVSS 9.1) — Additional access control flaw. CVE-2026-34911 (CVSS 7.7) — Information Disclosure.
The three CVSS 10.0 vulnerabilities can be chained together for complete device takeover without any authentication. Let’s break down each one.
CVE-2026-34908: Improper Access Control (CVSS 10.0)
This vulnerability requires no authentication and allows network-adjacent attackers to make unauthorized changes to the system. The access control mechanism in UniFi OS fails to properly validate requests, allowing unauthenticated users to modify system configurations that should require administrator privileges.
In practical terms: anyone on the same network (or reaching the device remotely if it’s Internet-exposed) can reconfigure your entire UniFi infrastructure without ever logging in. They can change Wi-Fi settings, modify firewall rules, alter VLAN configurations, and redirect traffic — all without needing a single credential.
Affected devices include UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, and other models in the UniFi gateway and controller lineup.
CVE-2026-34909: Path Traversal (CVSS 10.0)
This path traversal vulnerability allows unauthenticated network attackers to access arbitrary files on the underlying operating system and manipulate them to gain access to system accounts. The classic “../../../etc/passwd” style attack, but against your network infrastructure.
Through file access, attackers can read configuration files containing credentials, access SSH keys stored on the device, extract VPN certificates, and read the device’s management interface secrets. By manipulating files, they can escalate to full root access on the underlying Linux system.
Combined with CVE-2026-34908, an attacker first gains configuration access, then uses path traversal to read sensitive files and escalate privileges to the underlying OS.
CVE-2026-34910: Command Injection (CVSS 10.0)
The final piece of the chain: an Improper Input Validation vulnerability enabling unauthenticated command injection. Attackers can execute arbitrary commands on the device remotely without any authentication.
This is the most dangerous of the three. Command injection means the attacker has full control over the device’s operating system. They can install persistent backdoors, modify firmware, exfiltrate all network traffic passing through the device, pivot to other devices on the network, and use the compromised device as a launching point for further attacks.
For businesses running UniFi as their core network infrastructure, this is a complete compromise scenario. An attacker with command execution on your gateway can see and modify all network traffic, intercept DNS queries, perform man-in-the-middle attacks on unencrypted traffic, and exfiltrate data through DNS tunneling.
100,000 Devices Exposed on the Internet
According to Censys, nearly 100,000 UniFi OS endpoints are currently accessible from the Internet. The majority are located in the United States, with significant numbers in Europe, Australia, and Canada.
As of May 22, there’s no public proof-of-concept exploit code and no confirmed active exploitation in the wild. But the window between patch release and exploit development is shrinking rapidly in 2026 — sometimes to mere hours. With three CVSS 10.0 vulnerabilities and 100,000 targets, this is a gold mine for attackers.
The typical Ubiquiti deployment includes a UDM or UDM-Pro as the network gateway, UniFi switches, and UniFi access points. If the gateway is compromised, the entire network is compromised. This isn’t just about one device — it’s about every device and user on that network.
Which Products Are Affected
The affected product lines span Ubiquiti’s entire enterprise-grade lineup:
UniFi Cloud Gateway (UCG) series — the entry-level gateways used by small businesses and home offices. UniFi Dream Machine (UDM) appliances — the all-in-one gateway/controller/switch devices popular with prosumers and SMBs. UniFi Network Video Recorders (UNVR) — if your security cameras are on a vulnerable UNVR, attackers could access your surveillance footage. UniFi OS Server — the standalone controller software running the UniFi ecosystem.
Essentially, if it runs UniFi OS, it’s vulnerable until patched. This includes devices that serve as network gateways (handling all traffic), security camera recorders (storing sensitive footage), and network controllers (managing your entire infrastructure).
Why This Is Worse Than a Typical Router Bug
Ubiquiti devices aren’t consumer-grade routers with a single admin page. They’re enterprise-class networking equipment running sophisticated software stacks. Organizations that deploy UniFi typically use it to manage dozens or hundreds of network devices, handle VLAN segmentation for security-sensitive environments, run site-to-site VPNs, and manage guest networks for businesses.
A compromised UniFi gateway doesn’t just affect one device — it compromises the entire network architecture. VLAN isolation? Gone. Firewall rules? Bypassed. VPN security? Undermined. Guest network separation? Non-existent. The attacker effectively has a privileged position to intercept, modify, and redirect all network traffic.
For organizations in regulated industries — healthcare, finance, legal — a UniFi compromise could trigger breach notification requirements, HIPAA violations, or PCI-DSS non-compliance. The consequences extend far beyond patching a device.
Patch Now: Here’s How
Ubiquiti has released fixed firmware versions. Update immediately:
UDM, UDM-Pro, UDM-SE, and related gateway devices: Update to UniFi OS Version 5.1.12 or later. UniFi OS Server: Update to Version 5.0.8 or later. UCG devices: Check the UniFi OS release notes for your specific model’s patched version.
To update: log into your UniFi Controller at unifi.ui.com or your local controller URL, navigate to Settings > System > Firmware, and apply available updates. For devices not managed through a controller, access the device directly via SSH or the local UI.
If you cannot patch immediately: restrict management access to trusted VLANs only, ensure the UniFi management interface is NOT exposed to the Internet, implement firewall rules blocking external access to UniFi management ports (typically 443, 8443, 8080), and monitor for unusual configuration changes or new admin accounts.
Conclusion
Three simultaneous CVSS 10.0 vulnerabilities in networking equipment used by hundreds of thousands of organizations is a five-alarm fire. The fact that all three allow unauthenticated remote exploitation means the attack bar is as low as it gets — no phishing, no credential stuffing, no social engineering required. Just point and shoot at any of the 100,000 exposed devices.
If you run Ubiquiti UniFi gear — and millions of businesses and homelabbers do — stop reading and patch. Right now. Before this article finishes loading, someone is probably writing a Metasploit module for CVE-2026-34910.
