CVE-2026-34908
10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Summary
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Ubiquiti Inc | UniFi OS Server | 0 < 5.0.8 | affected |
| Ubiquiti Inc | UDM | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDM-Pro | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDM-SE | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDM-Pro-Max | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDM-Beast | 0 < 5.1.11 | affected |
| Ubiquiti Inc | EFG | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDW | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDR | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDR7 | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UDR-5G | 0 < 5.1.12 | affected |
| Ubiquiti Inc | Express 7 | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNVR | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNVR-Pro | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNVR-Instant | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNVR-G2 | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNVR-G2-Pro | 0 < 5.1.12 | affected |
| Ubiquiti Inc | ENVR | 0 < 5.1.12 | affected |
| Ubiquiti Inc | ENVR-Core | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UNAS-2 | 0 < 5.1.10 | affected |
| Ubiquiti Inc | UNAS-4 | 0 < 5.1.10 | affected |
| Ubiquiti Inc | UNAS-Pro | 0 < 5.1.10 | affected |
| Ubiquiti Inc | UNAS-Pro-4 | 0 < 5.1.10 | affected |
| Ubiquiti Inc | UNAS-Pro-8 | 0 < 5.1.10 | affected |
| Ubiquiti Inc | UCKP | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCK | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCK-Enterprise | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCG-Ultra | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCG-Max | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCG-Fiber | 0 < 5.1.12 | affected |
| Ubiquiti Inc | UCG-Industrial | 0 < 5.1.12 | affected |
Weaknesses
- CWE-284: CWE-284 Improper Access Control - Generic
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: yes
- Technical Impact: total
Additional References
- https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34908
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.