Ubiquiti has released security updates to address three maximum severity vulnerabilities in UniFi OS that could be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, according to Bleeping Computer.The vulnerabilities, identified as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, allow for unauthorized system changes, path traversal for accessing underlying system files, and command injection attacks, respectively. A second critical command injection flaw (CVE-2026-33000) and a high-severity information disclosure (CVE-2026-34911) were also patched. These vulnerabilities can be exploited through low-complexity attacks and were reported via Ubiquiti's bug bounty program. Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints, with the majority in the United States.Ubiquiti products have previously been targeted by state-backed groups and cybercriminals, leading to their use in botnets for malicious activities. In February 2024, the FBI disrupted the Moobot botnet, which utilized compromised Ubiquiti routers. In April 2022, CISA added a critical command injection flaw in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities.Source: Bleeping Computer
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds




