CVE-2026-34908: A malicious actor with access to the network could exploit an Improper Access Control vulnerability found i...
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Security readout for executives and security teams
Plain-English summary
Ubiquiti UniFi OS devices contain a serious access control flaw. Anyone able to reach the device over the network can make unauthorized changes to the system without needing credentials. Because these devices commonly run routers, gateways, cameras, and NVRs at business sites, an attacker with network reach could tamper with core network and security infrastructure.
Executive priority
Treat as an emergency patch cycle. This is a CISA KEV-listed, CVSS 10 flaw in network gear that likely sits at the edge of your environment. Assign an owner today, schedule maintenance windows within days not weeks, and report remediation status to leadership until every affected device is confirmed patched.
Technical view
CVE-2026-34908 is an Improper Access Control (CWE-284) issue in UniFi OS across UDM, UDR, UNVR, EFG, Express 7, ENVR and UNAS product families. CVSS 3.1 base score is 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), meaning unauthenticated network attackers can achieve full compromise with scope change. Ubiquiti published Security Advisory Bulletin 064 with fixed firmware guidance.
Likely exposure
Any UniFi OS device whose management interface is reachable from an untrusted network, including LAN segments shared with guest or IoT devices, VPN entry points, or misconfigured WAN exposure. Managed service providers and multi-site enterprises running UDM, UDR, UNVR, EFG or UNAS families should assume exposure until patched firmware is confirmed on every unit.
Exploitation context
CISA KEV lists this CVE, indicating confirmed in-the-wild exploitation. A third-party PwnDefend post describes UniFi-family exploitation being leveraged to build Mirai-style botnets. Attackers with layer-3 reach can hit the vulnerability directly; no user interaction or credentials are required per the CVSS vector.
Researcher notes
Ubiquiti's advisory lists many product families as "unaffected" with version "0" in the CVE record, which is a data artifact; the human-readable bulletin is the authoritative source for fixed builds. The PwnDefend write-up references CVE-2026-34910 in the same UniFi advisory cluster, so botnet TTPs may overlap. Validate any device where remote SSH or custom scripts have been enabled.
Mitigation direction
Apply the firmware updates listed in Ubiquiti Security Advisory Bulletin 064 to all UniFi OS devices.
Restrict management interfaces to trusted admin VLANs and block WAN-side access.
Isolate unpatched devices behind ACLs until firmware can be updated.
Rotate local admin credentials and API tokens after patching in case of prior access.
Enable automatic firmware updates in UniFi Site Manager where policy allows.
Validation and detection
Inventory all UniFi OS devices via UniFi Site Manager and record current firmware versions.
Cross-check versions against the fixed builds in Bulletin 064 and CISA KEV entry.
Confirm management UI is not reachable from WAN or untrusted VLANs using external and internal scans.
Review device logs and audit trails for unexpected configuration changes or new admin sessions.
Verify KEV due-date compliance and document remediation for each device.
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-284: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
Exploitation: activeAutomatable: yesTechnical Impact: total
CVSS vector scores
1 official score
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-284 · source CWE mapping
Improper Access Control
Improper Access Control represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.