All an attacker needs to do is get onto the same network as your UniFi device in order to exploit any number of bugs which will allow them to run their own code, read or write any file, and totally take down a wide variety of unpatched UniFi OS systems, including routers, firewalls, gateways, NVRs, and various forms of business software.
- CISA says these exploits are already occurring.
- Attackers are now utilizing three critical bugs in the UniFi line to create botnets.
- CISA orders emergency patches for the bugs.
More bugs are popping up.
Over the last 30 days, Ubiquiti has fixed a whole bunch of critical bugs through advisories.
Since May 21st, 2026, when the vendor patched three "perfect" 10-out-of-10 severity bugs which were being actively exploited by threat actors according to CISA's warning, multiple more critical bugs have come out from Ubiquiti.
Three more critical bugs were added to CISA's Known Exploited Vulnerabilities Catalog because they were seen being used by hackers. CISA directed federal agencies to patch by June 26th, 2026.
A botnet is currently being built with compromised UniFi devices. Hackers are probing honeypots to find exposed devices so they may attack them. Researchers at PwnDefend reported they captured live attacks against UniFi devices within days of Ubiquiti posting the critical security advisory.
In the observed exploitation campaign, hackers launched the exploits from the IP address 176.65.148.183, using the Mirai loader to download malware that would turn the exposed UniFi router into a botnet node. However, hackers could use these bugs individually or together to get full-system root-level access to the targeted device.
"There is lots of flexibility," researchers said in their report.
All three bugs are "the worst possible."
CVE-2026-34908 is an improper access control bug that provides attackers who are connected to the network with the ability to modify any part of a UniFi OS system without permission.
CVE-2026-34909 is a path traversal bug that can be used by attackers to break normal file permissions, providing them with the opportunity to read and write files on the underlying operating system and gain complete access to the system.
CVE-2026-34910 is an improper input validation bug that permits attackers who connect to the network to perform command injection attacks.
Additional patches resolved two less severe bugs.
All three bugs affect UniFi OS systems, whether a network appliance, a network video recorder, or an identity management system:
- UniFi OS Server versions 5.0.6 and lower.
- UniFi Cloud Gateways running UCG-Industrial version 5.0.13 and lower.
- UniFi Dream Machine routers, security gateways/firewalls, network controllers, video recorders, and cloud gateway devices, UniFi Dream Machines, Enterprise Fortress Gateways, Dream Walls, Dream Routers, UniFi Express 7, Network Video Recordings produced by UniFi Dream Devices, and other devices that utilise software version 5.0.16 and lower.
- UniFi Dream Router 5G devices, enterprise video recorders, and Cloud Key network controllers utilising software version 5.0.17 and lower.
- Second generation UniFi Network Video Recorders (UNVR-G2 and UNVR-G2-Pro) utilising software version 5.1.11 and lower.
- UniFi Dream Machine Beast routers and NAS (network attached storage) devices utilising software version 5.1.8 and lower.
- UniFi Express devices utilising software version 4.0.13 and lower.
However, this is not the end of it. Two weeks ago, Ubiquiti issued another security advisory fixing newer critical bugs found after the previous advisory was issued.
The most significant is another improper input validation bug rated 9.9 out of 10, affecting numerous devices listed previously. Threat actors with minimal rights on the network can elevate privileges on a particular UniFi OS device or instance.
Additionally, another disclosed but less severe bug removes the requirement for low-privileged access to exploit the latest vulnerabilities. The new vulnerabilities have not been identified by CISA as known-exploit bugs, meaning no exploitation activity has been detected. Ubiquiti has since released another security advisory bulletin addressing these issues.