CISA has added CVE-2026-34910 to its Known Exploited Vulnerabilities catalogue after confirming that the flaw in Ubiquiti’s UniFi OS is being actively exploited. The vulnerability carries a CVSS v3.1 score of 10.0, rating it as critical, and affects organisations that run UniFi OS on their network devices.
The flaw is described in Ubiquiti’s security advisory as an improper input validation error that leads to command injection. An attacker who can reach the UniFi OS management interface over the network can inject arbitrary commands that run with the privileges of the affected service. The vulnerability exists because certain parameters are not sufficiently validated before being passed to a shell.
Exploitation does not require authentication if the interface is exposed to the internet or an untrusted segment. CISA notes that active use has been observed in the wild, although no specific threat actor has been linked to the attacks so far. The absence of a patch means that the risk remains until Ubiquiti releases a fix.
The addition to the KEV catalogue highlights the danger posed by exposed edge devices, especially when they run Linux-based firmware with extensive management features. Similar issues have appeared in UniFi products before, prompting calls for tighter network segregation. Organizations should treat any UniFi OS instance reachable from outside as a potential entry point.
Defenders should immediately apply the mitigation steps outlined in Ubiquiti’s advisory, which include disabling remote access to the UniFi OS controller and restricting management traffic to trusted IP ranges. Firewall rules that limit inbound connections to the device’s management ports can reduce the attack surface. Monitoring system logs for unexpected command execution or new user accounts is also advised. Following CISA’s Binding Operational Directive 26-04 on vulnerability response helps ensure timely mitigation.
Maintaining an up-to-date inventory of all UniFi devices assists in quickly identifying which units need to be isolated or replaced. Administrators should watch for an official patch from Ubiquiti and apply it as soon as it becomes available. Until then, limiting exposure and enforcing least-privilege access remain the best defenses.