Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Critical Vulnerabilities in Ubiquiti UniFi OS

26 May 2026

Ubiquiti has released security updates to address multiple critical vulnerabilities in UniFi OS. Users and administrators of affected products are advised to update to the latest versions immediately.

Background

Ubiquiti is a networking technology company whose products run on UniFi OS, an operating system designed for managing IT infrastructure including networking, security, and other services. Ubiquiti has released security updates to address three critical vulnerabilities in UniFi OS. An Improper Access Control vulnerability (CVE-2026-34908), a Path Traversal vulnerability (CVE-2026-34909), and an Improper Input Validation vulnerability (CVE-2026-34910) have been identified, all of which can be exploited by an unauthenticated remote attacker.

These vulnerabilities have a Common Vulnerability Scoring System (CVSS v3.1) score of 10 out of 10.

Impact

Successful exploitation of these vulnerabilities could lead to the following:

  • CVE-2026-34908: Unauthorised changes to the targeted system, potentially leading to full device compromise.

  • CVE-2026-34909: Unauthorised access to sensitive files on the underlying system, which could be further leveraged to compromise an underlying account.

  • CVE-2026-34910: Command injection on the affected device, potentially leading to arbitrary command execution.

Affected Products

These vulnerabilities affect the following Ubiquiti UniFi OS products:

For CVE-2026-34908, CVE-2026-34909 & CVE-2026-34910:

  • UCG-Industrial 

    • running versions 5.0.13 and earlier

  • UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max and UCG-Fiber 

    • running versions 5.0.16 and earlier

  • UDR-5G, ENVR-Core, UCKP, UCK and UCK-Enterprise 

    • running versions 5.0.17 and earlier

  • UniFi OS Server 

    • running versions 5.0.6 and earlier

  • UNVR-G2 and UNVR-G2-Pro 

    • running versions 5.1.11 and earlier

  • UDM-Beast, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4 and UNAS-Pro-8 

    • running versions 5.1.8 and earlier

Additionally, for CVE-2026-34909 only:

  • Express 

    • running versions 4.0.13 and earlier

Recommendations

Users and administrators of affected products are advised to update to the latest versions immediately.

References

https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b

https://nvd.nist.gov/vuln/detail/CVE-2026-34908

https://nvd.nist.gov/vuln/detail/CVE-2026-34909

https://nvd.nist.gov/vuln/detail/CVE-2026-34910

https://www.bleepingcomputer.com/news/security/ubiquiti-patches-three-max-severity-unifi-os-vulnerabilities/

Back to top