CISA has added CVE‑2026-34908 to its Known Exploited Vulnerabilities catalogue, affecting Ubiquiti’s UniFi OS. The vulnerability is an improper access control flaw that could allow a malicious actor with network access to make unauthorised changes to the system.
The flaw is an access control bypass that can be exploited remotely once an attacker gains a foothold on the local network, granting full administrative control over the UniFi OS instance. It carries a CVSS v3.1 base score of 10.0, rating it as CRITICAL. At present, no patch or advisory has been released by Ubiquiti, and the patch status is listed as unknown.
Active exploitation has been confirmed, which is the basis for the KEV designation. No ransomware campaign has been publicly linked to this CVE to date. CISA has set a remediation deadline of 26 June 2026 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.
While the directive binds FCEB agencies, all organisations should review their exposure to Ubiquiti UniFi OS and apply any available mitigations promptly.
For full technical details, refer to the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-34908 and the CISA KEV catalogue.