Five Critical UniFi Flaws; No Login Needed to Tap All Network Traffic
Networking gear maker Ubiquiti has disclosed five vulnerabilities in its UniFi products, with three at the maximum CVSS 10.0. Without any login, attackers can hijack routers and access points and intercept all traffic across corporate and home networks. Updates are available via official advisory Bulletin 064 and should be applied immediately.
News
kkm
Backend Engineer / AWS / Django
Networking gear maker Ubiquiti has disclosed five vulnerabilities in its UniFi products, with three at the maximum CVSS 10.0. Without any login, attackers can hijack routers and access points and intercept all traffic across corporate and home networks. Updates are available via official advisory Bulletin 064 and should be applied immediately.
Networking gear maker Ubiquiti has disclosed five vulnerabilities in its "UniFi OS". Three of them carry the maximum CVSS score of 10.0, and the other two land at 7.7 and 9.1 — extremely severe across the board. Without any login, attackers can hijack the routers and access points that sit in the middle of corporate and home networks.
UniFi is a series of business / SOHO networking products from Ubiquiti, Inc. According to Ubiquiti Japan (UI Japan)'s official note, the appeal is "no licensing fees" and "all-in-one management" — routers, switches, wireless APs, and surveillance cameras all run from a single dashboard. In Japan, Sonet Corporation is the official distributor, with SIers such as Hirano Tsushin Kizai and Amiya handling sales — and the brand is firmly established among cost-conscious SMBs, startups, cafes, and coworking spaces.
The issues are disclosed in official advisory "Bulletin 064", dated May 21, 2026. The fact that three of them — CVE-2026-34908, 34909, and 34910 — are all CVSS 10.0 with no authentication required shows just how comprehensively UniFi OS's security guardrails have collapsed.
What UniFi is
UniFi is a package that covers your company's entire network with hardware from a single vendor. Key products that run on the same management surface (UniFi OS) include:
Headliners are the UniFi Dream Machine (UDM) all-in-one gateway, the UniFi Cloud Key small management server, the UniFi OS Console management appliance, various UniFi Switch models, and UniFi Access Point (AP) radios. Seeing all of them from a single pane of glass is the "UniFi way", and it has earned a reputation as easy to operate even in small offices without a dedicated IT staffer.
In Japan, as the Zenn article billing it as "the optimal answer for small venture office networks" shows, many engineers also deploy UniFi at home or in their own startup office. For roughly 50,000–100,000 yen, you get an "enterprise-flavored" network — a price point that also resonates with tech-leaning individual users.
And UniFi OS is the software in the middle of your network. Every internal communication passes through it. Hijack it, and everything beneath becomes visible to the attacker — that is the essence of today's vulnerabilities.
The five vulnerabilities
The disclosures in Bulletin 064 are:
| CVE ID | CVSS | Auth | Type |
|---|---|---|---|
| CVE-2026-34908 | 10.0 | None | Improper access control → system modification |
| CVE-2026-34909 | 10.0 | None | Path traversal → file read → account takeover |
| CVE-2026-34910 | 10.0 | None | Command injection → arbitrary code execution |
| CVE-2026-33000 | 9.1 | High | Command injection (via admin privileges) |
| CVE-2026-34911 | 7.7 | Low | Path traversal → restricted file access |
The first three (CVSS 10.0) share a common condition: "network reachability is enough — no authentication needed". Having a UniFi management port simply sitting on the corporate network is sufficient for the attack to land. In particular, CVE-2026-34910 — a command injection — is a critical-class flaw that lets an attacker run arbitrary commands on the UniFi device itself.
What happens when the attack succeeds
A hijacked UniFi OS hands the attacker control of the entire network below. Concrete scenarios:
Realistic damage scenarios
- ▸Traffic interception: web browsing, email, chat — all internal communication becomes visible to the attacker.
- ▸DNS rewriting: redirect access from legitimate sites to phishing sites and harvest credentials.
- ▸VPN tampering: drop in an attacker-controlled VPN tunnel and keep persistent access to the corporate network.
- ▸Firewall disablement: open the path for direct attacks against internal endpoints.
- ▸Camera spying: surveillance footage from UniFi Protect cameras leaks out.
- ▸Botnet enrollment: use the UniFi device itself as a relay to attack other companies.
The hard part is that network device compromises are hard to notice. PC malware trips antivirus, but an attacker quietly intercepting traffic inside a router or switch is essentially invisible from the endpoints. Cases of "we just realized our internal communications had been siphoned for six months" are entirely plausible in this category.
Home users running UniFi are in the same boat. Family PCs, smartphones, and smart home devices — all their traffic becomes visible to the attacker. Tech-loving individual users cannot consider this someone else's problem.
Affected products and fixes
The advisory covers any product running "UniFi OS". UniFi OS is the common platform underneath Ubiquiti's management appliances, and runs on the following representative products:
| Product category | Representative models |
|---|---|
| All-in-one gateway | UniFi Dream Machine (UDM) / UDM Pro / UDM SE / UDR |
| Management console | UniFi Cloud Key Gen2 Plus / UniFi OS Console / UNVR-Pro |
| Routers | UniFi Express / UCG-Ultra / UniFi Cloud Gateway |
The remediation is straightforward: update UniFi OS to the latest version. Use one of the following paths:
How to update
- 1.Log in to the UniFi dashboard (
https://<device-IP>orunifi.ui.com). - 2.Open "Settings → System → Updates".
- 3.If a new UniFi OS build is listed, apply it.
- 4.Also check firmware for downstream switches, APs, and Protect cameras.
If automatic updates are enabled, the new firmware may already be deployed. Verify that the "UniFi OS Version" shown on the dashboard is at or above the fixed version listed in Bulletin 064. Specific version numbers are updated on Ubiquiti's official advisory page.
Interim mitigations to apply at minimum
Until the patch is applied — and for longer-term risk reduction — the following settings are recommended:
Recommended additional configuration
- ▸Block management console exposure to the internet: configurations that let the UniFi dashboard be reached from the router's WAN side are dangerous. Disable WAN management and restrict to internal LAN / VPN.
- ▸Reconsider UniFi Site Manager (cloud management): if you don't need to manage the network while traveling, disable the Site Manager link and keep management local.
- ▸Enable 2FA on admin accounts: it does not block direct exploitation, but it lowers the risk for any auth-dependent attack paths.
- ▸Audit your logs: review past activity for suspicious "settings change", "user added", and "firmware overwritten" events.
The WAN-side dashboard exposure in particular has been a recurring root cause of UniFi compromises in the past. If you don't know who turned on "Allow Remote Access" or when, turning it off is the right move until you do.
Ubiquiti has been a target before
Thanks to their value-for-money pricing and broad install base, Ubiquiti products have long been an appealing target for attackers.
In 2021, a major credential exposure incident around the UniFi Cloud functionality led Ubiquiti to urge customers to change their passwords. From 2022 onward, high-severity flaws have surfaced intermittently in UniFi Dream Machine, UniFi Protect (camera management), and the UniFi Network Application. Even earlier in 2026, before today's batch, CVE-2026-22557 (path traversal) and CVE-2026-22558 (privilege escalation) were already on the books.
This is not "Ubiquiti is uniquely buggy". It should be read as a problem common to the entire network device category. Vulnerabilities in Cisco, Fortinet, Pulse Secure, and similar products have become primary entry vectors for APT (nation-state) and ransomware groups in recent years. The attacker's gaze rests on home, SOHO, and mid-market networks alike.
Conversely, a vendor publishing advisories on a regular cadence is a healthy state of affairs. The real question is whether the user side has the awareness and operational muscle to act on those advisories quickly.
Closing thoughts
Three CVSS 10.0 vulnerabilities in a single advisory, all exploitable remotely without authentication, is about as bad a package as a networking-gear security disclosure can get. Ubiquiti has done its part by publishing Bulletin 064 clearly, but if user-side updates do not catch up, this lines up directly with real-world compromises.
Teams operating UniFi in small offices, and engineers running UniFi at home — log in to the dashboard now and check your version. Even if you have automatic updates enabled, visually confirming that the patch landed is worthwhile. "UniFi: set it and forget it" is the selling point, which is exactly why undoing the "forget" is a job for tonight.
References
- ▸ Ubiquiti Community - Security Advisory Bulletin 064
- ▸ NVD - CVE-2026-34908 (Improper access control, CVSS 10.0)
- ▸ NVD - CVE-2026-34909 (Path traversal, CVSS 10.0)
- ▸ NVD - CVE-2026-34910 (Command injection, CVSS 10.0)
- ▸ NVD - CVE-2026-33000 (Command injection, CVSS 9.1)
- ▸ NVD - CVE-2026-34911 (Path traversal, CVSS 7.7)
- ▸ Ubiquiti Japan - What is UniFi? (deep dive)
- ▸ Ubiquiti Japan official site