Three Max-Severity UniFi OS Bugs Are Under Active Attack, Update Now

Ubiquiti's hugely popular UniFi gear is the target of an active exploitation campaign. Three UniFi OS vulnerabilities, all rated a perfect CVSS 10.0, chain together into unauthenticated root access and are being used to fully compromise devices and plant rogue administrator accounts.

Key takeaways

• Three UniFi OS flaws, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each CVSS 10.0, chain into unauthenticated remote code execution as root.
• CISA added all three to its Known Exploited Vulnerabilities (KEV) catalog on June 23, 2026, with a federal patch deadline of June 26, 2026.
• Active exploitation has created rogue administrator accounts, one widely reported example used the name "John Sim."
• Ubiquiti fixed the chain in UniFi OS Server 5.0.8 (and corresponding device firmware), covered by Security Advisory Bulletin 064.
• If you find an admin account you did not create, assume full compromise: patch, rotate every credential, audit configuration, and consider a rebuild.

The three vulnerabilities

Ubiquiti disclosed and patched a trio of flaws in UniFi OS as part of Security Advisory Bulletin 064 (SAB-064). CISA added all three to its KEV catalog on June 23, 2026.

• CVE-2026-34908 (CVSS 10.0, Improper Access Control): An authentication-gateway bypass. A network-reachable actor can make unauthorized changes to the system, the entry point for the chain.
• CVE-2026-34909 (CVSS 10.0, Path Traversal): Lets an attacker read or manipulate files on the underlying system, which can be abused to reach an underlying account.
• CVE-2026-34910 (CVSS 10.0, Improper Input Validation): A command-injection flaw in the package-update service. Reached without any token via the gateway bypass, it delivers the unauthenticated code execution that completes the chain.

Here is how the three CVEs map to their role in the exploit chain:

CVE	Type	CVSS	Role in the chain
CVE-2026-34908	Improper access control	10.0	Auth-gateway bypass, the entry point
CVE-2026-34909	Path traversal	10.0	Read/manipulate files to reach an account
CVE-2026-34910	Improper input validation	10.0	Command injection for unauthenticated root

Security firm Bishop Fox documented how these combine. The NGINX authentication gateway is bypassed (CVE-2026-34908 and CVE-2026-34909), then the package-update backend is abused to inject commands (CVE-2026-34910), turning "no access" into root on the device with no credentials at all.

What attackers are doing with it

This is not theoretical. Users reported apparent zero-day exploitation in which attackers created rogue administrator accounts, one widely reported example used the account name "John Sim", during automated reconnaissance and exploitation runs.

A compromised UniFi controller or gateway is a serious problem. These devices route traffic, hold network configuration, and frequently manage segmentation and VPNs. An attacker with root or admin control can reroute traffic, disable defenses, alter DNS, and use the device as a beachhead into everything behind it. Because UniFi gear is so common in homes, small offices, and managed-service deployments, the population of exposed targets is large.

Who is affected and the patch

Ubiquiti shipped fixes in UniFi OS Server 5.0.8 and the corresponding releases for its appliance family, all tracked in SAB-064. Because exploitation is active, CISA mandated that federal civilian agencies remediate by June 26, 2026 under Binding Operational Directive 26-04, a tight window that reflects how seriously the agency is treating these bugs.

If you run any UniFi OS device, a Dream Machine, a Cloud Gateway, a self-hosted UniFi OS Server, or a UniFi-managed network, you are potentially in scope. Bishop Fox confirmed the unauthenticated chain works against UniFi OS Server 5.0.6 and fails on the patched 5.0.8, so the upgrade boundary is clear.

Your action plan

1. Update immediately. Upgrade every UniFi OS device and the UniFi OS Server to 5.0.8 or later as listed in SAB-064. Do not wait for an auto-update cycle.

2. Audit administrator accounts. Review every admin and limited-admin account on each controller. Remove anything unfamiliar (watch for names like "John Sim" but do not rely on that single indicator).

3. Rotate credentials. Change admin passwords, regenerate API keys, and revoke active sessions after patching. Move to passkeys where supported for the accounts that protect your management plane.

4. Restrict management exposure. UniFi management interfaces and the controller should never be directly reachable from the internet. Use a VPN for remote administration.

5. Hunt for persistence. Check for unexpected configuration changes, new firewall rules, modified DNS settings, new port forwards, and unfamiliar VPN or remote-access configurations.

Verify your version

You can confirm the running version from the UniFi OS console under Settings, or check the controller release in the system info. Treat anything below 5.0.8 (or the equivalent patched firmware for your hardware) as vulnerable until updated.

If you suspect compromise

Because these flaws allow full device control, a thorough response may require a factory reset and rebuild from a known-good configuration rather than an in-place cleanup. Reset all credentials that the device touched, and review traffic logs for signs of lateral movement. If sensitive data sat behind the device, work through our guide on how to check whether your data was breached and respond.

The takeaway

Network appliances are high-value targets precisely because they are trusted and often forgotten. A CVSS 10.0, network-reachable, actively exploited chain in widely deployed consumer-and-prosumer gear is a near-worst-case scenario. It echoes other recent edge-device disasters, like the Check Point VPN authentication bypass. For the broader hardening playbook, our secure home router checklist covers the standing rules that limit this kind of blast radius. Patch today, audit your admin accounts, and make "no management interface on the public internet" a standing rule for every device you own.

Frequently asked questions

Which devices need the update?

Any device running UniFi OS, Dream Machine models, Cloud Gateways, and self-hosted UniFi OS Server installs. The fixed UniFi OS Server release is 5.0.8; appliance firmware is covered by SAB-064. If in doubt, assume in scope and update.

I do not have a rogue "John Sim" account, am I safe?

Not necessarily. "John Sim" was one observed indicator, but attackers can use any account name and may establish persistence in other ways (firewall rules, port forwards, modified DNS, new VPN configs). Patch regardless, and audit the full configuration rather than relying on one account name.

Is auto-update enough?

Eventually, but not fast enough during active exploitation. The safe move is to manually update now rather than wait for a scheduled auto-update window that could leave you exposed for hours or days while attackers scan.

Can attackers exploit this from the internet?

Yes, if the management interface is internet-reachable, which is exactly why it should not be. Even on an internal network, an attacker who already has a foothold can reach the device. Restricting management to a VPN and removing public exposure closes the most dangerous path.

Sources

• BleepingComputer: Ubiquiti patches three max-severity UniFi OS vulnerabilities
• Ubiquiti Security Advisory Bulletin 064
• CISA: Adds Four Known Exploited Vulnerabilities to Catalog
• SecurityWeek: Critical Ubiquiti Vulnerabilities in Attackers' Crosshairs
• Bishop Fox: Popping Root on UniFi OS Server
• BleepingComputer: Critical UniFi OS bug lets hackers gain root without authentication