10

CVE-2026-34908

Warnung
Medienbericht
Exploit
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
UiUnifi Os Server Version < 5.0.8
UiUnifi Dream Machine Firmware Version < 5.1.12
   UiUnifi Dream Machine Version-
UiUnifi Dream Machine Pro Firmware Version < 5.1.12
   UiUnifi Dream Machine Pro Version-
UiUnifi Dream Wall Firmware Version < 5.1.12
   UiUnifi Dream Wall Version-
UiUnifi Dream Router Firmware Version < 5.1.12
   UiUnifi Dream Router Version-
UiUnifi Dream Router 7 Firmware Version < 5.1.12
   UiUnifi Dream Router 7 Version-
UiUnifi Express 7 Firmware Version < 5.1.12
   UiUnifi Express 7 Version-
UiUnifi Cloud Gateway Ultra Firmware Version < 5.1.12
   UiUnifi Cloud Gateway Ultra Version-
UiUnifi Cloud Gateway Max Firmware Version < 5.1.12
   UiUnifi Cloud Gateway Max Version-
UiUnifi Cloud Gateway Fiber Firmware Version < 5.1.12
   UiUnifi Cloud Gateway Fiber Version-
UiUnifi Dream Router 5g Max Firmware Version < 5.1.12
   UiUnifi Dream Router 5g Max Version-
UiUnifi Cloud Key Plus Firmware Version < 5.1.12
   UiUnifi Cloud Key Plus Version-
UiUnifi Cloudkey Firmware Version < 5.1.12
   UiUnifi Cloudkey Version-
UiUnifi Cloudkey Enterprise Firmware Version < 5.1.12
   UiUnifi Cloudkey Enterprise Version-
UiUnifi Dream Machine Beast Firmware Version < 5.1.11
   UiUnifi Dream Machine Beast Version-
UiUnas 2 Firmware Version < 5.1.10
   UiUnas 2 Version-
UiUnas 4 Firmware Version < 5.1.10
   UiUnas 4 Version-
UiUnas Pro Firmware Version < 5.1.10
   UiUnas Pro Version-
UiUnas Pro 4 Firmware Version < 5.1.10
   UiUnas Pro 4 Version-
UiUnas Pro 8 Firmware Version < 5.1.10
   UiUnas Pro 8 Version-

23.06.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

Ubiquiti UniFi OS Improper Access Control Vulnerability

Schwachstelle

Ubiquiti UniFi OS contains an improper access control vulnerability which could allow a malicious actor with access to the network to make unauthorized changes to the system.

Beschreibung

Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

Erforderliche Maßnahmen
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.45% 0.823
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
support@hackerone.com 10 3.9 6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.07.2026 17:04
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
24.06.2026 20:21
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
24.06.2026 16:50
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
24.06.2026 14:35
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
15.06.2026 17:02
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.06.2026 18:11
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
08.06.2026 16:25
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
05.06.2026 12:45
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
05.06.2026 12:44
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
05.06.2026 12:43
https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
Patch
Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34908
US Government Resource
https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
Third Party Advisory
Exploit