Ubiquiti Patches Critical Vulnerabilities in UniFi OS Exposing Remote Attacks

Ubiquiti Patches Critical Vulnerabilities in UniFi OS Exposing Remote Attacks

First seen 22 May 2026, 18:39 UTC BleepingcomputerCybersecuritynewsScworldGbhackersCsa.Sg+18 90% similarity 78.0

Article Content

Browse articles
ThreatCluster

Ubiquiti has issued security updates for five critical vulnerabilities in UniFi OS, including three maximum severity flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) that allow remote attackers to execute unauthorized commands and escalate privileges. The vulnerabilities can be exploited without user privileges and were reported through Ubiquiti's HackerOne bug bounty program. Censys reports nearly 100,000 internet-exposed UniFi OS endpoints, predominantly in the U.S. Ubiquiti has not confirmed if these vulnerabilities were exploited in the wild prior to the patch release. The company has a history of being targeted by state-backed groups and cybercriminals, with previous incidents involving botnets utilizing compromised devices. Additional vulnerabilities patched include a critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure issue (CVE-2026-34911).

Key Points: • Ubiquiti patched five critical vulnerabilities in UniFi OS, including three maximum severity flaws. • The vulnerabilities allow remote attackers to execute commands and escalate privileges without authentication. • Censys reports nearly 100,000 exposed UniFi OS endpoints, primarily located in the U.S.

ThreatCluster AI

Timeline

2022-04-15
CISA adds CVE-2010-5330 to active exploitation list
CISA included a critical command injection flaw in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities.
Bleepingcomputer
2024-02-01
FBI disrupts Moobot botnet
The FBI took down the Moobot botnet, which had exploited compromised Ubiquiti routers for cyberespionage activities.
Bleepingcomputer
2026-03-19
CVE-2026-22557 and CVE-2026-22558 published
Ubiquiti disclosed two maximum severity vulnerabilities in the UniFi Network Application, allowing account takeovers and privilege escalation.
Bleepingcomputer
2026-05-22
Ubiquiti patches five critical vulnerabilities
Ubiquiti released updates for CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-33000, and CVE-2026-34911, addressing severe security flaws in UniFi OS.
Bleepingcomputer
2026-05-22
CVE-2026-34911 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-22
CVE-2026-34909 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-22
CVE-2026-33000 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-22
CVE-2026-34908 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE
2026-05-22
CVE-2026-34910 published
Vulnerability assigned a CVE identifier and published in the National Vulnerability Database.
MITRE

Community

Browse all →