CISA has added CVE-2026-34909 to its Known Exploited Vulnerabilities catalogue. The entry concerns Ubiquiti’s UniFi OS and is identified as the Ubiquiti UniFi OS Path Traversal Vulnerability. This flaw allows a malicious actor who already has network access to read files on the underlying system and potentially manipulate them to gain access to accounts.
The vulnerability is a directory‑traversal issue that can be exploited over the network, leading to unauthorized file read and possible account compromise. It has been assigned a CVSS v3.1 score of 10.0, rating it as critical. No patch or advisory is currently available from the vendor, and the patch status is listed as unknown.
Because the flaw is listed in the KEV catalogue, active exploitation has been confirmed in the wild. CISA notes that there is no known use of this vulnerability in ransomware campaigns at this time. Federal agencies must apply the required mitigations by the remediation deadline of 2026‑06‑26.
CISA’s required action is to apply mitigations in accordance with vendor instructions while ensuring compliance with BOD 26‑04 Prioritizing Security Updates Based on Risk and the Forensics Triage Requirements. For cloud‑based deployments, follow the applicable BOD 26‑04 guidance or discontinue use of the product if mitigations cannot be implemented. Stakeholders must evaluate each asset’s internet exposure and adhere to BOD 26‑04 patching guidelines. Although the directive binds FCEB agencies, all organisations should review their exposure to this flaw.
For full technical details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-34909 and the CISA KEV catalogue.