100K
internet-facing UniFi OS endpoints exposed globally per Censys
10.0
CVSS score on all three CVEs: the maximum possible severity
50K
US-based UniFi OS endpoints reachable from the internet
3 days
CISA BOD 26-04 patch window from KEV addition: expires today

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Three CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS allow any network-reachable attacker to claim root access on network gateways, cameras, and physical access controllers without providing a single credential. CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to its Known Exploited Vulnerabilities catalog on June 23, 2026, confirming active in-the-wild exploitation of the UniFi OS unauthenticated RCE chain. Censys tracks nearly 100,000 internet-facing UniFi OS endpoints globally, with approximately 50,000 in the United States. The CISA BOD 26-04 three-day patch deadline for federal agencies expires today, June 26.

The exploit chain works through a divergence in how Ubiquiti's NGINX gateway processes authentication. CVE-2026-34908 and CVE-2026-34909 form the bypass: an attacker crafts a request whose raw URI passes the authentication exemption check while its normalized form routes to an authenticated internal endpoint. Once past the access gate, CVE-2026-34910 delivers command injection through an unvalidated package name passed to a shell command in the package-update service. The service account handling those updates holds passwordless sudo privileges over dpkg, chmod, and systemctl, enabling root escalation via a malicious .deb package. BishopFox demonstrated the full chain and published a safe detection tool on GitHub.

Active exploitation is creating rogue administrator accounts named 'John Sim' during automated reconnaissance sweeps. Patches were released on May 21 in UniFi OS Server 5.0.8, but Censys data indicates a large portion of the 100,000 internet-facing endpoints remain unpatched. Any UniFi OS Server version 5.0.6 or below with its web interface reachable on TCP 11443 is fully exposed today. Patching alone does not close all risk: if your device was reachable before today, previously exfiltrated JWT signing keys remain valid and must be manually rotated.

How Does the UniFi OS Unauthenticated RCE Chain Work?

The UniFi OS unauthenticated RCE attack requires no prior access and executes in three stages, each corresponding to a distinct CVE. BishopFox researchers mapped the chain after acquiring a UniFi OS Server instance for analysis and published their findings alongside a safe detection tool at github.com/BishopFox/CVE-2026-34908-check.

CVE-2026-34908 and CVE-2026-34909 form the authentication bypass stage. Ubiquiti's NGINX gateway authenticates requests by checking two representations of the incoming URI: the raw form, which is percent-encoded exactly as the client sent it, and the normalized form, which NGINX decodes and collapses before routing. The authentication exemption logic examines the raw URI for exempt patterns like /api/auth/validate-sso/. NGINX routes based on the normalized version. An attacker sends a request whose raw URI begins with the exempt prefix but whose normalized form resolves to an authenticated internal endpoint. The gateway passes the auth check on the raw URI and routes the request to the internal backend, which assumes authentication was already verified.

Once past the access gate, CVE-2026-34910 delivers command injection. The package-update endpoint accepts a package name and passes it unsanitized to a shell command: sudo /usr/bin/uos runnable latest-versions [package-name]. Shell metacharacters in the parameter execute as arbitrary OS commands. The service account running this code is ucs-update, which holds passwordless sudo access to /usr/bin/dpkg, /bin/chmod, and /bin/systemctl. BishopFox confirmed root access by building a malicious .deb package and installing it via sudo dpkg, which executes post-install scripts as root.

A comparable NGINX URI normalization bypass appeared in the NGINX Rift CVE-2026-42945 unauthenticated RCE disclosure. The UniFi OS chain is more severe because the downstream injection reaches root-privileged sudo calls that control the device's entire security stack.

1

NGINX Auth Bypass

Attacker crafts URI where raw form matches exempt /api/auth/validate-sso/ prefix but normalized form routes to an authenticated internal endpoint, bypassing all access controls (CVE-2026-34908 / CVE-2026-34909).

2

Command Injection

Package name parameter passed unsanitized to shell command: sudo /usr/bin/uos runnable latest-versions [input]. Shell metacharacters execute arbitrary OS commands under the ucs-update service account (CVE-2026-34910).

3

Root Escalation

ucs-update holds passwordless sudo to /usr/bin/dpkg. Attacker installs a malicious .deb package with root post-install scripts, achieving full root on the UniFi OS Server.

4

Credential Harvest and Persistence

Root access yields JWT signing keys, WiFi/VPN credentials, cloud tokens, and biometric templates. A rogue 'John Sim' admin account is created for persistence before deeper exploitation proceeds.

How Many Organizations Are Exposed to CVE-2026-34908?

Censys tracked nearly 100,000 UniFi OS endpoints reachable over the public internet as of June 2026. Approximately 50,000 of those endpoints were located in the United States. The web interface commonly exposes TCP 11443, which BishopFox confirmed as the standard attack surface for this chain.

The affected device classes span the entire UniFi OS product line: Cloud Gateways including the Dream Machine family, Network Controllers including UCK-G2 and UCK-G2-Plus, Protect Network Video Recorders including UNVR and UNVR Pro, Access Hubs for physical access control, and Talk appliances. All UniFi OS Server versions 5.0.6 and below running unifi-core package version 5.0.126 or below are vulnerable.

The vulnerability chain does not require local network access. Ubiquiti's advisory specifies the attack vector as 'network' for all three CVEs, meaning any host that can reach the UniFi OS web interface over the public internet can exploit the bypass. This is a critical distinction from vulnerabilities that require adjacent network position. The 100,000 internet-facing endpoints represent the immediate attack surface; additional internal deployments reachable from a compromised network segment face exposure through lateral movement via the same chain.

CISA's BOD 26-04 mandate set a three-day deadline from the June 23 KEV addition, which expires today. Federal civilian agencies that have not patched are out of compliance. The same urgency applies to every private-sector organization: active exploitation confirmed by CISA means threat actors are scanning TCP 11443 at scale right now.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

What Attackers Can Extract After Gaining Root on UniFi OS

Root access on a UniFi OS Server is not limited to the device itself. UniFi OS serves as the authentication and configuration hub for every network device, camera, and physical access controller it manages, so a single compromise yields credentials for the entire managed network.

From root on a compromised UniFi OS Server, an attacker extracts JWT signing keys used for session token generation. UniFi OS uses symmetric HS256 signing for these tokens, meaning the key is shared and stored on disk. An attacker with the key can forge valid administrator tokens offline. These forged tokens remain valid even after patching because the update does not rotate the signing key. Rotation requires a manual reboot step. Attackers retain a persistent authentication path even after the patch closes the initial entry point.

Additional credentials available at root include TLS certificates and private keys, cloud authentication tokens used for multi-site remote management, the complete user database, WiFi pre-shared keys and RADIUS server secrets, VPN configurations, NFC credentials, and biometric templates enrolled via UniFi Access physical door controllers.

Active exploitation observed during reconnaissance created rogue administrator accounts under the username 'John Sim.' This naming pattern across multiple organizations indicates a scripted payload deploying a persistent backdoor before pivoting to targeted activity. The account creation is the earliest indicator that automated exploitation has run on a given device.

The parallel to Check Point VPN CVE-2026-50751 is instructive: in that incident, organizations that patched but did not audit post-compromise credential use discovered weeks later that attackers had harvested VPN session credentials before the patch window and maintained persistent access through stolen tokens.

Root access yields JWT signing keys, and those forged tokens persist even after patching until the key is manually rotated. Patching the vulnerability is not the same as closing the door on an attacker who was already inside.

BishopFox Research, June 2026

Indicators of Compromise: What to Hunt For in Your UniFi Logs

Detecting successful exploitation of the UniFi OS unauthenticated RCE chain requires searching across both network-level access logs and host-level process records. BishopFox documented the specific request patterns that distinguish exploitation attempts from legitimate traffic.

The primary network-level indicator is HTTP requests to the UniFi OS web interface containing the bypass pattern: requests whose URI begins with /api/auth/validate-sso/ followed by percent-encoded path traversal sequences, specifically ..%2f or %2e%2e. These sequences normalize to authenticated internal routes but pass the authentication exemption check. A single such request in your web server access logs indicates an exploitation attempt. An HTTP 200 response indicates a successful authentication bypass.

The secondary indicator covers the command injection phase: requests to /ucs/update/latest_package containing shell metacharacters in the parameter field, including dollar signs, semicolons, ampersands, backticks, or pipe characters. These indicate active CVE-2026-34910 exploitation attempts.

At the host level, four specific signs indicate post-exploitation activity: any administrator account named 'John Sim' in the UniFi OS user database, unexpected child processes spawned under the ucs-update service account, sudo dpkg or sudo chmod calls initiated by ucs-update with non-standard arguments, and .deb package installations not initiated through the standard update interface.

BishopFox's detection tool sends the bypass request without executing any commands and reports HTTP 200 (vulnerable) or HTTP 400 (patched). It confirms current vulnerability only, not whether past exploitation occurred. Any device that was internet-accessible before today must be treated as potentially compromised regardless of detection tool output.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How to Close This Gap: Patch and Harden Your UniFi Deployment

The UniFi OS unauthenticated RCE vulnerability closes with a firmware update followed by a set of post-patch hardening steps. Patching without the hardening steps leaves organizations exposed to attacker persistence established before the patch window.

Step 1 blocks active exploitation. Steps 2 through 7 address the credential and access persistence that survives a patch-only response.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why UniFi OS Unauthenticated RCE Matters for Your Organization

The UniFi OS unauthenticated RCE vulnerability matters because UniFi hardware occupies a high-trust position in network architecture that most endpoint security tools do not monitor. A compromised network controller manages the security boundaries of every device behind it, not just its own operation.

UniFi hardware is deployed across a wide range of environments: small and medium businesses using it as primary network infrastructure, enterprise branch offices, hospitality and retail locations managing guest WiFi, schools and universities, healthcare facilities running UniFi Protect for physical security cameras, and facilities managing physical door access through UniFi Access controllers. In every deployment, the UniFi OS Server holds credentials that authenticate to downstream systems across the organization.

The attack physics differ from software vulnerabilities at the application layer. An attacker who gains root on a UniFi Network Controller can push configuration changes to all managed switches, access points, and gateways simultaneously. A single compromised controller can silently redirect DNS resolution across the managed network, insert rogue VLAN rules, or disable firewall policies without generating process-level alerts that endpoint detection tools watch for on servers and workstations.

The three-day CISA deadline expired today. Organizations that treat CISA KEV notifications as a starting gun are already in a reactive posture. Exploitation was confirmed before the June 23 KEV addition, which means attackers were scanning TCP 11443 before the deadline began. The 100,000 internet-facing UniFi OS endpoints Censys tracks span every sector, and the scan rate against this attack surface increases after CISA publications make the vulnerability broadly known.

The remediation window before the weekend closes today. Any UniFi OS Server reachable from the internet on firmware older than 5.0.8 is an open door.

The bottom line

The UniFi OS unauthenticated RCE chain delivers root access on 100,000 internet-facing network controllers, cameras, and physical access hubs with no credentials required. CISA confirmed active exploitation on June 23 and the patch deadline is today. Three actions right now: update every UniFi OS instance to version 5.0.8, block TCP 11443 from the public internet, and rotate the JWT signing key on any device that was internet-accessible before today. Check your UniFi user database for a 'John Sim' administrator account: its presence confirms active exploitation. This gap closes with a single firmware update.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What is the UniFi OS unauthenticated RCE vulnerability?

The UniFi OS unauthenticated RCE vulnerability is a three-CVE exploit chain covering CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 that allows any network-reachable attacker to bypass authentication, read and write arbitrary files, and execute OS commands as root on UniFi OS Server without providing any credentials. All three vulnerabilities carry a CVSS 10.0 score, the highest possible severity rating. CISA confirmed active in-the-wild exploitation on June 23, 2026.

How do attackers chain CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910?

Attackers combine the three CVEs into a sequential chain. CVE-2026-34908 and CVE-2026-34909 exploit a divergence between how NGINX evaluates authentication exemptions using the raw, percent-encoded URI and how it routes requests using the normalized URI. An attacker crafts a URL that passes the auth check but resolves to an authenticated internal service. CVE-2026-34910 then delivers command injection through an unsanitized package-name parameter passed to a shell command, and the executing service account holds passwordless root sudo access.

How do I patch CVE-2026-34908 in UniFi OS?

Update UniFi OS Server to version 5.0.8 or later. In the UniFi web interface, navigate to Settings, then System, then Updates. Versions 5.0.6 and below running unifi-core package 5.0.126 or below are fully vulnerable. After patching, rotate the JWT signing key and all credentials managed by the device, as patching alone does not invalidate previously exfiltrated signing keys. Per-model fixed versions are listed in Ubiquiti Security Advisory Bulletin 064.

What are the indicators of compromise for CVE-2026-34908 exploitation?

The primary indicator is an HTTP request in your UniFi OS access logs containing /api/auth/validate-sso/ with percent-encoded path traversal sequences such as ..%2f or %2e%2e. An HTTP 200 response to such a request before your patch date indicates successful exploitation. At the host level, look for a user account named John Sim in your UniFi OS user database, unexpected processes spawned under the ucs-update service account, and non-standard sudo dpkg or chmod calls from that account.

Does patching UniFi OS stop all attacker access after exploitation?

Patching stops future exploitation but does not revoke access an attacker already established. JWT signing keys exfiltrated before patching remain valid for forging administrator tokens until the key is manually rotated, which requires a device reboot. Credentials stored on the device including WiFi passwords, RADIUS secrets, and VPN configurations should all be rotated regardless of whether indicators of compromise are present. Treat any internet-exposed pre-patch instance as potentially compromised.

Which devices are affected by the Ubiquiti UniFi OS vulnerabilities?

Every device running Ubiquiti UniFi OS Server version 5.0.6 or earlier is affected. Vulnerable product classes include UniFi Cloud Gateways such as Dream Machine Pro and Dream Router, UniFi Network Controllers including UCK-G2 and UCK-G2-Plus, UniFi Protect NVRs including UNVR and UNVR Pro, UniFi Access Hubs, and UniFi Talk appliances. Censys tracked approximately 100,000 internet-facing instances globally as of June 2026.

Is the UniFi OS vulnerability used in ransomware attacks?

CISA listed ransomware involvement as unknown for CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 at the time of KEV addition. However, confirmed exploitation was documented creating rogue administrator accounts during automated reconnaissance sweeps, consistent with initial access broker activity that precedes ransomware deployment. Network controllers are high-value initial access targets because root access yields credentials for all downstream managed devices, providing attackers with lateral movement paths through the entire managed network.

How do I check if my UniFi OS instance is vulnerable without patching first?

Run the BishopFox detection tool available at github.com/BishopFox/CVE-2026-34908-check. The tool sends the authentication bypass request to your UniFi OS instance without executing any commands. An HTTP 200 response to the bypass request combined with an HTTP 401 on a control request confirms vulnerability. An HTTP 400 response confirms the patched version is running. The tool cannot determine whether past exploitation has occurred, only whether the device is currently vulnerable.

Sources & references

  1. CISA: Adds Four Known Exploited Vulnerabilities to Catalog (June 23, 2026)
  2. Ubiquiti Security Advisory Bulletin 064
  3. BishopFox: Popping Root on UniFi OS Server: Unauthenticated RCE Chain
  4. BleepingComputer: CISA Warns of Max-Severity Ubiquiti Flaws Exploited in Attacks
  5. SecurityWeek: Critical Ubiquiti Vulnerabilities in Attackers' Crosshairs

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.