Here is the article.
CVE-2026-34909: Critical Path Traversal in Ubiquiti UniFi OS
A network-accessible path traversal flaw in Ubiquiti UniFi OS lets an attacker read files on the underlying system and leverage them to take over an account, and CISA has added it to the Known Exploited Vulnerabilities catalog.
What Is It
CVE-2026-34909 is a path traversal vulnerability (CWE-22) in Ubiquiti UniFi OS. According to the NVD record, a malicious actor with access to the network could exploit the flaw to access files on the underlying system, which could then be manipulated to access an underlying account. The CVE was published on 2026-05-22 and is currently undergoing analysis at NVD.
Why It Matters
The vulnerability carries a CVSS 3.1 base score of 10.0 (CRITICAL), with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, meaning it is network-exploitable, requires no privileges or user interaction, and breaks confidentiality, integrity, and availability across a security scope boundary. CISA added the CVE to its Known Exploited Vulnerabilities catalog on 2026-06-23, confirming it is being actively exploited in the wild. Known ransomware campaign use is listed as Unknown.
What's Vulnerable
The flaw affects a broad range of Ubiquiti UniFi OS devices, each fixed in a specific release:
- UniFi OS Server; versions before 5.0.8
- Express; before 4.0.14
- UDM, UDM-Pro, UDM-SE, UDM-Pro-Max; before 5.1.12
- UDM-Beast; before 5.1.11
- EFG, UDW, UDR, UDR7, UDR-5G, Express 7; before 5.1.12
- UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core; before 5.1.12
- UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8; before 5.1.10
Patch Status
CISA requires affected organizations to apply mitigations in accordance with vendor instructions, in line with BOD 26-04 patching guidance and CISA's Forensics Triage Requirements. If mitigations are unavailable, follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product. The remediation due date is 2026-06-26. Updated UniFi OS releases listed above resolve the issue.