CISA has added CVE‑2026-34910 to its Known Exploited Vulnerabilities catalogue, affecting Ubiquiti’s UniFi OS. The vulnerability is an improper input validation flaw that could allow a malicious actor with network access to execute arbitrary commands.
Technically, the flaw is a command injection vulnerability arising from insufficient validation of user‑supplied input within UniFi OS. An attacker who can reach the device over the network may inject and run commands with the privileges of the affected service. The vulnerability carries a CVSS v3.1 base score of 10.0, rating it as CRITICAL. CISA notes that no patch is currently available.
Active exploitation has been confirmed, which is the basis for the KEV designation. There is no public indication that this flaw has been used in ransomware campaigns. CISA has set a remediation deadline of 26 June 2026 for federal civilian executive branch (FCEB) agencies to address the issue.
CISA’s required action is: “Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable.
Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.” While the directive binds FCEB agencies, all organisations should review their exposure to UniFi OS and apply any available mitigations.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-34910 and the CISA KEV catalogue.