CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2026-34910

CVSS 10.0v3.1pub. 2026-05-22upd. 2026-06-24

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

🤖 AI Analysis
How it works

An attacker with access to the network in which UniFi OS devices operate can send specially crafted input data to the vulnerable system component. Due to the lack of proper validation of this data, malicious data is interpreted as system commands and executed by the device. The vulnerability is remotely exploitable without the need for privileges or user engagement.

Impact

Successful exploitation of this vulnerability allows an attacker to remotely execute arbitrary system commands on the device (command injection), which may lead to complete takeover of the device, loss of confidentiality and integrity of data, and disruption of service availability.

Mitigation & patch

Apply patches available from the manufacturer in accordance with the references. Detailed information about versions containing fixes is available in the Ubiquiti security bulletin at the address indicated in the references section.

Who is affected

Devices running UniFi OS — versions indicated in the manufacturer's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Ui Enterprise Fortress Gateway

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Fortress Gateway Firmware

    OS
    Ui
    < 5.1.12
  • Ui Enterprise Network Video Recorder

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Network Video Recorder Core

    HW
    Ui
    wszystkie wersje
  • Ui Enterprise Network Video Recorder Core Firmware

    OS
    Ui
    < 5.1.12
  • Ui Enterprise Network Video Recorder Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unas 2

    HW
    Ui
    wszystkie wersje
  • Ui Unas 2 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas 4

    HW
    Ui
    wszystkie wersje
  • Ui Unas 4 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 4

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 4 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro 8

    HW
    Ui
    wszystkie wersje
  • Ui Unas Pro 8 Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unas Pro Firmware

    OS
    Ui
    < 5.1.10
  • Ui Unifi Cloud Gateway Fiber

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Fiber Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Industrial

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Industrial Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Max

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Max Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Gateway Ultra

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Gateway Ultra Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloudkey

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloudkey Enterprise

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloudkey Enterprise Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloudkey Firmware

    OS
    Ui
    < 5.1.12
  • Ui Unifi Cloud Key Plus

    HW
    Ui
    wszystkie wersje
  • Ui Unifi Cloud Key Plus Firmware

    OS
    Ui
    < 5.1.12

CISA KEV — detailsi

Vendori
Ubiquiti
Producti
UniFi OS
Added to KEVi
June 23, 2026
Remediation deadline (US Federal)i
June 26, 2026(overdue)
Required action (CISA)i

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

CISA descriptioni

Ubiquiti UniFi OS contains an improper input validation vulnerability which could allow a malicious actor with access to the network to conduct command injection.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 26 czerwca 2026
CWE
References

Related vulnerabilities

CVE-2026-34909CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Path Traversal w UniFi OS — dostęp do plików systemowych i przejęcie konta

CVE-2026-34908CRITICAL10.0⚠ KEVPL ✓ten sam produkt

Nieprawidłowa kontrola dostępu w UniFi OS — nieautoryzowane zmiany systemowe

CVE-2026-33000CRITICAL9.1PL ✓ten sam produkt

Command Injection w UniFi OS — podatność na wstrzyknięcie poleceń

CVE-2023-24104CRITICAL9.8ten sam produkt

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted p...

CVE-2026-34911HIGH7.7ten sam produkt

A malicious actor with access to the network and low privileges could exploit a Path Traversal vulnerability f...