Ubiquiti UniFi OS server vulnerabilities allow unauthenticated remote code execution

As reported by Bleeping Computer, attackers can chain three previously patched vulnerabilities in Ubiquiti UniFi OS servers to achieve unauthenticated remote code execution with root privileges.

The security flaws, tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, were addressed in May and impacted UniFi OS Server versions 5.0.6 and earlier. While individually rated with maximum severity, their exploitation required network access. Bishop Fox researchers discovered that these vulnerabilities can be chained together. CVE-2026-34908 (improper access control) and CVE-2026-34909 (path traversal) can bypass authentication, allowing access to a vulnerable endpoint. CVE-2026-34910 (command injection) then enables attackers to execute arbitrary commands.

Although initial commands do not run as root, the affected service account has passwordless sudo privileges, making privilege escalation trivial. This grants administrative control over network devices, surveillance cameras, and identity management systems governed by the UniFi OS Server. Bishop Fox has released a detection script to help identify vulnerable instances, and recommends upgrading to UniFi OS Server 5.0.8 or later.

Source: Bleeping Computer