CVE-2026-34908

Name: CVE-2026-34908
Creator: NVD / NIST
Published: 2026-05-22T02:16:34.24+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 10/10Actively ExploitedEPSS 2.45%

Last modified Jun 24, 2026

CVE-2026-34908 is a critical-severity vulnerability rated 10/10 on the CVSS scale. A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.. CISA has confirmed active exploitation in the wild. EPSS estimates a 2.45% chance of exploitation in the next 30 days.

Description

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

Metrics

CVSS 3.1

10/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

2.45%

82.3th percentile

Probability of exploitation in the next 30 days. Learn more

Exploitation Status

This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by Jun 26, 2026.

Weakness Enumeration

CWE-284

Affected Software

Vendor	Product	Versions
Ui	Unifi Os Server	< 5.0.8
Ui	Unifi Cloud Gateway Industrial Firmware	< 5.1.12
Ui	Unifi Dream Machine Firmware	< 5.1.12
Ui	Unifi Dream Machine Pro Firmware	< 5.1.12
Ui	Unifi Dream Machine Special Edition Firmware	< 5.1.12
Ui	Unifi Dream Machine Pro Max Firmware	< 5.1.12
Ui	Enterprise Fortress Gateway Firmware	< 5.1.12
Ui	Unifi Dream Wall Firmware	< 5.1.12
Ui	Unifi Dream Router Firmware	< 5.1.12
Ui	Unifi Dream Router 7 Firmware	< 5.1.12
Ui	Unifi Express 7 Firmware	< 5.1.12
Ui	Unifi Network Video Recorder Firmware	< 5.1.12
Ui	Unifi Network Video Recorder Pro Firmware	< 5.1.12
Ui	Unifi Network Video Recorder Instant Firmware	< 5.1.12
Ui	Enterprise Network Video Recorder Firmware	< 5.1.12
Ui	Unifi Cloud Gateway Ultra Firmware	< 5.1.12
Ui	Unifi Cloud Gateway Max Firmware	< 5.1.12
Ui	Unifi Cloud Gateway Fiber Firmware	< 5.1.12
Ui	Unifi Dream Router 5g Max Firmware	< 5.1.12
Ui	Enterprise Network Video Recorder Core Firmware	< 5.1.12
Ui	Unifi Cloud Key Plus Firmware	< 5.1.12
Ui	Unifi Cloudkey Firmware	< 5.1.12
Ui	Unifi Cloudkey Enterprise Firmware	< 5.1.12
Ui	Unifi Network Video Recorder G2 Firmware	< 5.1.12
Ui	Unifi Network Video Recorder G2 Pro Firmware	< 5.1.12
Ui	Unifi Dream Machine Beast Firmware	< 5.1.11
Ui	Unas 2 Firmware	< 5.1.10
Ui	Unas 4 Firmware	< 5.1.10
Ui	Unas Pro Firmware	< 5.1.10
Ui	Unas Pro 4 Firmware	< 5.1.10
Ui	Unas Pro 8 Firmware	< 5.1.10

References

https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963bPatch, Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34908US Government Resource
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/Exploit, Third Party Advisory

Timeline

Published: May 22, 2026
Last Modified: Jun 24, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-34908?

A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.

How severe is CVE-2026-34908?

CVE-2026-34908 has a CVSS score of 10/10 (CRITICAL severity). The EPSS model estimates a 2.45% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.

How do I fix CVE-2026-34908?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2026-34908?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST