The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added multiple Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, warning that at least one of the flaws is now being actively exploited in the wild.
Federal civilian agencies and other UniFi deployments are urged to prioritize patching by June 26, 2026, in line with CISA’s Binding Operational Directive (BOD) 26-04.
According to the advisory, the most critical issue, tracked as CVE-2026-34908, stems from improper access control in Ubiquiti UniFi OS. An attacker with network access can make unauthorized changes to the system, potentially altering configurations, disabling security controls, or manipulating network behavior within affected environments.
CISA notes that stakeholders must assess each asset’s internet exposure and ensure updates are prioritized based on risk, especially where UniFi management interfaces are reachable from untrusted networks.
CISA also flagged two additional UniFi OS flaws that could be chained with the access control issue for deeper compromise. CVE-2026-34909 is a path traversal vulnerability that allows an authenticated or local attacker with network access to read or manipulate files on the underlying system, which could then be abused to gain access to an underlying account.
CVE-2026-34910, an improper input validation bug, enables command injection, giving an attacker the ability to execute arbitrary commands on the device once a foothold is established.
While there is currently no confirmed evidence that these specific UniFi OS flaws are being used in ransomware campaigns, CISA has classified the exploitation status as “unknown” and warns that the access gained through these issues aligns with common ransomware operator tradecraft.
Once a UniFi controller or gateway is compromised, threat actors could pivot into internal networks, harvest credentials, or tamper with traffic flows to support data theft, lateral movement, or disruptive attacks.
CISA directs organizations to apply mitigations in accordance with Ubiquiti’s vendor guidance and to align actions with BOD 26-04’s risk-based patching requirements and CISA’s Forensics Triage Requirements.
For cloud-hosted UniFi deployments, agencies must follow the portions of BOD 26-04 that specifically address cloud services or discontinue use of the product if mitigations or patches are not available in time.
Operators are reminded that they are responsible for evaluating exposure, ensuring accelerated patching of internet-facing systems, and maintaining logs to support rapid forensic triage in the event of suspected exploitation.
