Executive Summary
A critical unauthenticated command injection vulnerability (CVE-2026-34910) has been disclosed in UniFi OS — the firmware platform powering Ubiquiti's gateways, cloud keys, and UniFi Dream Machine devices. Unlike the companion CVE-2026-33000 (which requires high privileges), this flaw is exploitable by any network-accessible attacker with no credentials whatsoever, making it the most severe of the UniFi OS vulnerabilities disclosed on May 22, 2026.
CVSS Score: 10.0 (Critical)
An attacker with network connectivity to the device's management interface can send a single crafted request to trigger arbitrary OS command execution. The attack requires no prior authentication, no user interaction, and has low complexity — conditions that make mass exploitation trivial and automated scanning campaigns highly effective.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-34910 |
| CVSS Score | 10.0 (Critical) |
| Type | Command Injection (Improper Input Validation) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Check Ubiquiti Security Advisory |
Affected Products
| Product | Affected Scope | Remediation |
|---|---|---|
| Ubiquiti UniFi OS | All unpatched firmware versions | Apply vendor security update immediately |
| UniFi Dream Machine / Pro / SE / Ultra | Pre-patch firmware | Update via UniFi Network Application |
| UniFi Cloud Gateway | Pre-patch firmware | Firmware update required |
| UniFi Cloud Key Gen 2 / Plus | Pre-patch firmware | Firmware update required |
Technical Analysis
Root Cause
CVE-2026-34910 shares the same root cause class as CVE-2026-33000 — improper input validation leading to command injection. However, the critical distinction is that the vulnerable component in CVE-2026-34910 is accessible prior to authentication. The UniFi OS service processes attacker-controlled input in a pre-auth code path, passing it unsanitized to an OS command execution function.
This means the entire authentication layer is bypassed: the vulnerability exists in a handler that runs before any credential check occurs.
Attack Flow
1. Attacker discovers a UniFi OS device via port scan or Shodan/Censys enumeration
(management interface on TCP 443 — no authentication required)
2. Attacker sends a single crafted HTTP/HTTPS request to the vulnerable pre-auth endpoint
with OS command payload embedded in a parameter (e.g., filename, device name field)
3. UniFi OS passes the unsanitized parameter to an OS shell command without authentication check
4. Injected commands execute on the device's host OS (typically as root or a privileged service)
5. Attacker achieves:
- Reverse shell access
- SSH key injection for persistent access
- VPN/credential exfiltration
- Network traffic interception
6. Full device and network compromise — zero credentials requiredMass Exploitation Risk
The combination of unauthenticated access, low complexity, and network-level attack vector makes CVE-2026-34910 ideal for automated mass exploitation:
- Shodan/Censys exposure: UniFi management interfaces exposed to the internet are trivially discoverable
- Scripted exploitation: A single HTTP request is all that is needed — trivial to automate in scanning campaigns
- Botnet recruitment: Compromised UniFi devices have been historically recruited into botnets due to their always-on nature and trusted network position
- Ransomware pre-positioning: Compromise of the network gateway enables attacker VLAN bypass and lateral movement to all connected hosts
Impact Assessment
| Impact Area | Description |
|---|---|
| Unauthenticated RCE | Full OS command execution with no credentials required |
| Full Device Takeover | Root-level access to the UniFi OS gateway |
| Network-wide Lateral Movement | Pivot through the compromised gateway to all connected hosts |
| Traffic Interception | DNS manipulation, MITM for all client traffic |
| Credential Harvesting | VPN keys, RADIUS secrets, admin passwords extracted |
| Persistent Backdoor | SSH key injection or cron-based persistence survives reboots |
| Botnet / DDoS Recruitment | Device co-opted for attack infrastructure |
Immediate Remediation
Step 1: Apply Firmware Patch — Emergency Priority
This vulnerability warrants emergency patching. Apply the firmware update immediately:
# Check current firmware via SSH (if accessible)
ubnt-device-info firmware
# Apply firmware via UniFi Network Application:
# Settings → System → Updates → Update Firmware
# Or download directly from ui.com/download and apply via device UIStep 2: Emergency Network Isolation (Pre-Patch)
If immediate patching is not possible, isolate the device's management interface:
# IMMEDIATELY block external access to UniFi management ports
# Apply upstream firewall rules to block TCP 443, TCP 22, UDP 10001
# from any untrusted network source
# Example upstream ACL (on your perimeter firewall):
# DENY ANY → <UniFi_Device_IP> TCP 443
# DENY ANY → <UniFi_Device_IP> TCP 22
# PERMIT 10.10.10.0/24 → <UniFi_Device_IP> ANY (management hosts only)
# If the UniFi management port is internet-exposed, this is a P0 emergencyStep 3: Determine Exposure Window
# Check if the management interface has been reachable from untrusted networks
# Review firewall logs for inbound connections to the device's management IP
# Check device access logs for unusual HTTP requests
grep "\.\.\|exec\|cmd\|shell\|wget\|curl" /var/log/nginx/access.log 2>/dev/null
grep "\.\.\|exec\|cmd\|shell\|wget\|curl" /var/log/lighttpd/access.log 2>/dev/nullStep 4: Post-Patch Credential Rotation
# After patching, assume full compromise if device was internet-exposed
# 1. Rotate all admin account passwords
# 2. Rotate VPN pre-shared keys (all site-to-site tunnels)
# 3. Rotate RADIUS/802.1X secrets
# 4. Regenerate TLS certificates
# 5. Revoke SSH host keys and regenerate
# 6. Review all firewall rules for unauthorized modifications
# 7. Audit all connected device configurations for tamperingDetection Indicators
| Indicator | Description |
|---|---|
| Pre-auth HTTP requests with injection payloads in access logs | Active exploitation attempt |
| Outbound connections from UniFi device to unknown IPs post-request | Reverse shell establishment |
New entries in /root/.ssh/authorized_keys | SSH persistence after exploitation |
| New cron jobs or modified system files | Post-exploitation persistence |
| Unexpected DNS configuration changes | Traffic redirection setup |
| Firewall rules altered or removed | Attacker opening lateral movement paths |
| New admin accounts in UniFi Network UI | Post-exploitation account creation |
| Unusual high-privilege process spawned by web service | Command execution evidence |
Post-Remediation Checklist
- Apply firmware patch immediately — treat as emergency if management interface is internet-exposed
- Assume full compromise if device was reachable from untrusted networks without patching
- Rotate every secret — admin passwords, VPN PSKs, RADIUS secrets, TLS certificates, SSH keys
- Audit all firewall rules — restore any rules that were modified or deleted
- Inspect connected device configs — access points, switches, cameras may have been reconfigured
- Check DNS settings — restore if redirected by attacker
- Review DHCP leases and VLAN assignments — verify no rogue devices were granted access
- Engage incident response if exploitation is suspected — network forensics required
- Patch companion CVEs — CVE-2026-33000, CVE-2026-34908, CVE-2026-34909 affect the same platform