← back
CVE-2026-34910

CVE-2026-34910

CVSS 10 CRITICALEPSS 78.6%● KEVCWE-20
In short

A person with network access to UniFi OS devices can inject malicious commands because the system doesn't properly check input, allowing them to run unauthorized code on the device.

Technical detail

CWE-20 Improper Input Validation in UniFi OS permits command injection attacks from network-adjacent threat actors. Exploitation requires network access; attackers can bypass input sanitization to execute arbitrary commands with device privileges.

Summary generated and translated by AI from the official description.
A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
Ubiquiti Inc · EFGUbiquiti Inc · ENVRUbiquiti Inc · ENVR-CoreUbiquiti Inc · Express 7Ubiquiti Inc · UCG-FiberUbiquiti Inc · UCG-IndustrialUbiquiti Inc · UCG-MaxUbiquiti Inc · UCG-UltraUbiquiti Inc · UCKUbiquiti Inc · UCK-EnterpriseUbiquiti Inc · UCKPUbiquiti Inc · UDMUbiquiti Inc · UDM-BeastUbiquiti Inc · UDM-ProUbiquiti Inc · UDM-Pro-MaxUbiquiti Inc · UDM-SEUbiquiti Inc · UDRUbiquiti Inc · UDR-5GUbiquiti Inc · UDR7Ubiquiti Inc · UDWUbiquiti Inc · UNAS-2Ubiquiti Inc · UNAS-4Ubiquiti Inc · UNAS-ProUbiquiti Inc · UNAS-Pro-4Ubiquiti Inc · UNAS-Pro-8Ubiquiti Inc · UniFi OS ServerUbiquiti Inc · UNVRUbiquiti Inc · UNVR-G2Ubiquiti Inc · UNVR-G2-ProUbiquiti Inc · UNVR-InstantUbiquiti Inc · UNVR-Pro

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963bhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34910https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/