ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-34910 Command Injection in UniFi OS Devices (CVSS 10.0)

A short review of CVE-2026-34910, a CVSS 10.0 command injection vulnerability in Ubiquiti UniFi OS devices caused by improper input validation. Includes patch information covering the full range of affected hardware and firmware versions.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-21

Brief Summary: CVE-2026-34910 Command Injection in UniFi OS Devices (CVSS 10.0)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Three CVSS 10.0 vulnerabilities landing in a single vendor advisory is uncommon, and when the affected platform is Ubiquiti's UniFi OS, the blast radius spans enterprise networks, small businesses, and home labs alike. CVE-2026-34910 is one of those three critical flaws: an unauthenticated command injection that gives a network adjacent attacker arbitrary command execution on any unpatched UniFi OS device.

Ubiquiti manufactures widely deployed networking equipment under its UniFi brand, including routers, switches, access points, network video recorders, and NAS devices. UniFi OS is the embedded operating system that powers these devices, and it runs across a remarkably broad hardware portfolio. The platform is popular in both SMB and enterprise environments, making the scope of this vulnerability significant.

Technical Information

CVE-2026-34910 is rooted in improper input validation, classified under CWE-20. The vulnerability exists within UniFi OS, the embedded operating system running across Ubiquiti's hardware product lines including cloud gateways, dream machines, network video recorders, and NAS devices.

The core issue is that user supplied input reaching the UniFi OS device over the network is not properly sanitized before being passed to a system command execution context. This allows an attacker to craft a malicious payload that escapes the intended input boundary and injects arbitrary operating system commands. The injected commands execute at the privilege level of the vulnerable service on the device.

The attack surface is network reachable. According to the official NVD description: "A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection." Community security alerts associated with Bulletin 064 explicitly warn of unauthenticated remote code execution capabilities, meaning no credentials are required to exploit the flaw.

Attack Flow

Based on available information, the exploitation follows this general pattern:

  1. The attacker identifies a network reachable UniFi OS device running a vulnerable firmware version.
  2. The attacker sends a crafted request containing a command injection payload to the vulnerable input handling component.
  3. Due to insufficient input validation, the payload is interpreted and executed as an operating system command on the device.
  4. The attacker achieves arbitrary command execution, potentially gaining full control of the device.

The CVSS 10.0 score reflects the combination of network accessibility, no authentication requirement, and complete compromise of confidentiality, integrity, and availability.

A Note on Source Discrepancies

There is a discrepancy in secondary sources worth flagging. One community summary describes CVE-2026-34910 as a path traversal vulnerability requiring low privileges, but this appears to be a misattribution. CVE-2026-34909 is the path traversal issue according to OpenCVE data, while the NVD description for CVE-2026-34910 clearly identifies it as a command injection flaw. Security teams should rely on the primary classification.

Because UniFi OS is closed source firmware, no source code or specific vulnerable code paths are publicly available for analysis.

Security Advisory Bulletin 064 patches five distinct vulnerabilities. The three critical severity flaws are:

Vulnerability IDCVSS ScoreAttack Vector
CVE-2026-3490810.0 CriticalUnauthenticated RCE
CVE-2026-3490910.0 CriticalPath Traversal
CVE-2026-3491010.0 CriticalCommand Injection
CVE-2026-349117.7 HighUnknown

The presence of multiple critical vulnerabilities in a single advisory means that unpatched devices are exposed to several independent attack paths simultaneously.

Patch Information

Ubiquiti addressed CVE-2026-34910 through firmware updates released on May 21, 2026, as part of Security Advisory Bulletin 064. Because UniFi OS is closed source firmware, no source code diffs or commit level changes are publicly available; the fix is delivered exclusively through official firmware packages.

The vulnerability affects a broad range of UniFi OS hardware. Ubiquiti coordinated fixes across multiple firmware tracks simultaneously, each targeting a different hardware family:

Product FamilyVulnerable VersionsFixed Version
UCG IndustrialUp to and including 5.0.135.1.12
UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG FiberUp to and including 5.0.165.1.12
UDR 5G, ENVR Core, UCKP, UCK, UCK EnterpriseUp to and including 5.0.175.1.12
UNVR G2, UNVR G2 ProUp to and including 5.1.115.1.12
UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8Up to and including 5.1.85.1.10
UDM BeastUp to and including 5.1.85.1.11
UniFi OS Server (software only)Up to and including 5.0.65.0.8

The majority of hardware devices converge on firmware version 5.1.12 as the patched release, while the NAS product line requires 5.1.10, the UDM Beast needs 5.1.11, and the software only UniFi OS Server requires 5.0.8.

The Cloud Gateways 5.1.12 release notes explicitly confirm this fix under its Bugfixes section, referencing Security Advisory Bulletin 064. The UniFi OS Server 5.0.8 release notes are notably brief, listing only "Improved stability," but the advisory itself unambiguously identifies 5.0.8 as the remediation target.

CVE-2026-34910 was patched alongside four other vulnerabilities (CVE-2026-33000, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34911), meaning the same firmware updates resolve all five issues in one deployment. The update is being distributed via gradual rollout and may not appear to all users immediately through the management console.

Interim Mitigations

Pending patch deployment, organizations should implement strict network segmentation to limit access to UniFi OS management interfaces. These interfaces should only be reachable from dedicated, monitored administrative VLANs and must be blocked from untrusted networks and the public internet.

Post Patch Validation

Given the command injection nature of the vulnerability, applying the patch alone does not remove unauthorized access if the device was already compromised before patching. Organizations should conduct integrity checks on all UniFi OS devices after updating to ensure no backdoors or persistence mechanisms were installed prior to remediation.

Affected Systems and Versions

The following UniFi OS product families and firmware versions are confirmed vulnerable:

UCG Industrial: All versions up to and including 5.0.13.

UDM, UDM Pro, UDM SE, UDM Pro Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR Pro, UNVR Instant, ENVR, UCG Ultra, UCG Max, UCG Fiber: All versions up to and including 5.0.16.

UDR 5G, ENVR Core, UCKP, UCK, UCK Enterprise: All versions up to and including 5.0.17.

UNVR G2, UNVR G2 Pro: All versions up to and including 5.1.11.

UNAS 2, UNAS 4, UNAS Pro, UNAS Pro 4, UNAS Pro 8: All versions up to and including 5.1.8.

UDM Beast: All versions up to and including 5.1.8.

UniFi OS Server (software only): All versions up to and including 5.0.6.

Any UniFi OS device reachable over the network and running a firmware version below the fixed release is vulnerable to unauthenticated command injection.

Vendor Security History

Ubiquiti has consolidated the fixes for five vulnerabilities into a single advisory, Security Advisory Bulletin 064. Three of these carry CVSS 10.0 scores (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910), which is a notable concentration of critical severity flaws in one release cycle. The vendor credited security researcher John Carroll for the discovery of CVE-2026-34910 and Hakai Security for finding CVE-2026-34911.

Prior Ubiquiti security advisories, including Bulletin 062, are referenced in community discussions, indicating a pattern of periodic security updates for the UniFi platform. Historical reporting has also covered critical UniFi vulnerabilities allowing potential account hijacking, suggesting that the UniFi OS attack surface has drawn recurring researcher attention.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization