CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-34908

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-06-24

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

🤖 AI Analysis
How it works

An attacker with access to the network where UniFi OS devices operate can exploit improperly implemented access control to perform system operations without required authentication or authorization. The vulnerability does not require user interaction or special privileges, and its scope covers components beyond the directly attacked system (scope: changed). The network vector and lack of prerequisites make the exploit relatively easy to perform from the local network level or potentially broader reach.

Impact

An attacker can make unauthorized changes to the configuration or operation of UniFi OS, which may lead to violations of confidentiality, integrity, and availability of the device and the network infrastructure it supports.

Mitigation & patch

Apply patches available from the manufacturer according to the references — detailed patch versions are available in the Ubiquiti security advisory: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b

Who is affected

Devices running UniFi OS — detailed information about affected versions is indicated in the manufacturer's references (Security Advisory Bulletin 064)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Ui Enterprise Fortress Gateway

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Fortress Gateway Firmware

    OS
    Ui
    < 5.1.12
  • Ui Enterprise Network Video Recorder

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Network Video Recorder Core

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Network Video Recorder Core Firmware

    OS
    Ui
    < 5.1.12
  • Ui Enterprise Network Video Recorder Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unas 2

    HW
    Ui
    wszystkie wersje
  • Ui Unas 2 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas 4

    HW
    Ui
    wszystkie wersje
  • Ui Unas 4 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 4

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 4 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro 8

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 8 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unifi Cloud Gateway Fiber

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Fiber Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Industrial

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Industrial Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Max

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Max Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Ultra

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Ultra Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloudkey

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloudkey Enterprise

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloudkey Enterprise Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloudkey Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Key Plus

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Key Plus Firmware

    OS
    Ui
    < 5.1.12

CISA KEV — detailsi

Vendori
Ubiquiti
Producti
UniFi OS
Added to KEVi
June 23, 2026
Remediation deadline (US Federal)i
June 26, 2026(overdue)
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 26 czerwca 2026
CWE
References

Related vulnerabilities

CVE-2026-34910CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Command Injection w UniFi OS via nieprawidłowa walidacja wejścia

CVE-2026-34909CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Path Traversal w UniFi OS — dostęp do plików systemowych i przejęcie konta

CVE-2026-33000CRITICAL9.1PL ✓ten sam produkt

Command Injection w UniFi OS — podatność na wstrzyknięcie poleceń

CVE-2023-24104CRITICAL9.8ten sam produkt

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted p...

CVE-2026-34911HIGH7.7ten sam produkt

A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability f...