CVE-2026-34910: Critical Command Injection in Ubiquiti UniFi OS

"A network-accessible improper input validation flaw in Ubiquiti UniFi OS devices allows command injection, carries a maximum CVSS score of 10.0, and has been added to CISA's Known Exploited Vulnerabilities catalog."

A network-accessible improper input validation flaw in Ubiquiti UniFi OS devices allows command injection, carries a maximum CVSS score of 10.0, and has been added to CISA's Known Exploited Vulnerabilities catalog.

What Is It

CVE-2026-34910 is an improper input validation vulnerability (CWE-20) in Ubiquiti UniFi OS. According to NVD and the CISA KEV entry, a malicious actor with access to the network can exploit the flaw to execute a command injection on affected UniFi OS devices.

Why It Matters

The vulnerability is rated CVSS 10.0 (Critical) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, network-reachable, low attack complexity, no privileges or user interaction required, and a scope change with high confidentiality, integrity, and availability impact. CISA added it to the KEV catalog on 2026-06-23, confirming active exploitation in the wild. Known ransomware campaign use is listed as Unknown.

What's Vulnerable

Per the NVD record, a broad range of Ubiquiti UniFi OS products are affected below specific fixed versions, including:

UniFi OS Server: versions before 5.0.8
UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDR, UDR7, UDR-5G, UDW, EFG, Express 7, UCKP: before 5.1.12
UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core: before 5.1.12
UDM-Beast: before 5.1.11
UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8: before 5.1.10

Patch Status

CISA's required action is to apply mitigations per vendor instructions in line with BOD 26-04 guidance and the "Forensics Triage Requirements," with a due date of 2026-06-26. For cloud services, follow applicable BOD 26-04 guidance, or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and ensure adherence to BOD 26-04 patching guidelines. Upgrade affected devices to the fixed versions listed above.

Sources

Ubiquiti Security Advisory Bulletin 064; https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
NVD, CVE-2026-34910, https://nvd.nist.gov/vuln/detail/CVE-2026-34910
CISA KEV Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34910
CISA BOD 26-04; https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk