Ubiquiti: Critical UniFi OS bug lets hackers gain root without authentication

Critical RCE Chain Discovered in Ubiquiti UniFi OS Servers

Security researchers at Bishop Fox have uncovered a critical exploit chain in Ubiquiti UniFi OS servers, allowing attackers to achieve unauthenticated remote code execution (RCE) with root privileges. The attack leverages three previously patched vulnerabilities CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 which were addressed in May but can be chained to bypass authentication and execute arbitrary commands.

The flaws affect UniFi OS Server versions 5.0.6 and earlier, with each vulnerability playing a distinct role in the exploit:

• CVE-2026-34908 (Improper Access Control) – Enables unauthorized system modifications.
• CVE-2026-34909 (Path Traversal) – Exposes files on the underlying OS.
• CVE-2026-34910 (Command Injection) – Allows arbitrary command execution.

By combining these vulnerabilities, attackers can bypass authentication via a URI normalization mismatch in UniFi OS’s request handling. Once inside, they exploit a package-update endpoint to inject commands, which execute under a highly privileged service account with passwordless sudo access, making root escalation trivial.

Bishop Fox validated the attack on a UniFi OS Server 5.0.6 instance, confirming that no credentials or user interaction are required to gain a root shell. Since UniFi OS servers manage network infrastructure including physical access controls, surveillance, and identity systems compromise grants attackers full administrative control over an organization’s environment.

While the researchers did not release a full proof-of-concept (PoC), they provided a detection script to identify vulnerable instances. The tool safely checks for exposure without executing malicious commands, classifying systems as "vulnerable," "patched," "unaffected," or "inconclusive." However, it does not detect past exploitation or backdoors, as the attack leaves no authentication logs.

Defenders are advised to upgrade to UniFi OS Server 5.0.8 or later, though organizations should verify the integrity of updated systems to ensure they were not previously compromised. Additional monitoring recommendations include tracking requests to /api/auth/validate-sso/ and /ucs/update/latest_package, as well as suspicious processes under ucs-update.

Source: https://www.bleepingcomputer.com/news/security/critical-unifi-os-bug-lets-hackers-gain-root-without-authentication/

Ubiquiti cybersecurity rating report: https://www.rankiteo.com/company/ubiquiti

"id": "UBI1780937312",
"linkid": "ubiquiti",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"

{'affected_entities': [{'industry': 'Networking and IoT',
                        'name': 'Ubiquiti',
                        'type': 'Company'}],
 'attack_vector': 'Network',
 'description': 'Security researchers at Bishop Fox have uncovered a critical '
                'exploit chain in Ubiquiti UniFi OS servers, allowing '
                'attackers to achieve unauthenticated remote code execution '
                '(RCE) with root privileges. The attack leverages three '
                'previously patched vulnerabilities (CVE-2026-34908, '
                'CVE-2026-34909, and CVE-2026-34910) which were addressed in '
                'May but can be chained to bypass authentication and execute '
                'arbitrary commands. The flaws affect UniFi OS Server versions '
                '5.0.6 and earlier, enabling full administrative control over '
                'an organization’s network infrastructure, including physical '
                'access controls, surveillance, and identity systems.',
 'impact': {'operational_impact': 'Full administrative control over affected '
                                  'systems',
            'systems_affected': 'UniFi OS servers managing network '
                                'infrastructure, physical access controls, '
                                'surveillance, and identity systems'},
 'post_incident_analysis': {'corrective_actions': 'Patch management, system '
                                                  'integrity verification, and '
                                                  'enhanced monitoring',
                            'root_causes': 'URI normalization mismatch in '
                                           'UniFi OS’s request handling, '
                                           'improper access control, path '
                                           'traversal, and command injection '
                                           'vulnerabilities'},
 'recommendations': 'Upgrade to UniFi OS Server 5.0.8 or later, verify system '
                    'integrity, and monitor for suspicious activity.',
 'references': [{'source': 'Bishop Fox'}],
 'response': {'containment_measures': 'Upgrade to UniFi OS Server 5.0.8 or '
                                      'later',
              'enhanced_monitoring': 'Track requests to '
                                     '`/api/auth/validate-sso/` and '
                                     '`/ucs/update/latest_package`, and '
                                     'monitor suspicious processes under '
                                     '`ucs-update`',
              'remediation_measures': 'Verify system integrity post-update to '
                                      'ensure no prior compromise',
              'third_party_assistance': 'Bishop Fox (security researchers)'},
 'title': 'Critical RCE Chain Discovered in Ubiquiti UniFi OS Servers',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': ['CVE-2026-34908',
                             'CVE-2026-34909',
                             'CVE-2026-34910']}