CVE-2026-34910

What is Ubiquiti UniFi OS?

Ubiquiti UniFi OS is the embedded operating system powering Ubiquiti's enterprise networking appliances — Dream Machines (UDM, UDM Pro, UDM SE), Cloud Gateways (UCG-Ultra, UCG-Max), UniFi Network Video Recorders, the UniFi Network Application Server (UNAS), and UniFi Express devices. It hosts network management, video surveillance, physical access control, VPN, and identity services on a single appliance. Approximately 100,000 UniFi OS endpoints were internet-exposed at the time of disclosure (Censys), roughly half in the United States — making this vulnerability family one of the highest-impact of 2026.

Overview

CVE-2026-34910 is a command injection vulnerability in Ubiquiti UniFi OS's ucs-update package management service. It is the final link in a three-CVE exploit chain — CVE-2026-34908 (authentication bypass) + CVE-2026-34909 (path traversal) + CVE-2026-34910 (command injection) — that together deliver unauthenticated root-level remote code execution on any reachable UniFi OS appliance.

The ucs-update service passes an attacker-controlled package name parameter directly into a shell command without sanitization. Commands execute as the ucs-update service account, which holds passwordless sudo access to dpkg — enabling full root escalation by supplying a malicious .deb package whose post-install script runs as root.

CISA added all three UniFi OS CVEs to the KEV catalog on June 23, 2026. Bishop Fox published a detailed technical analysis and detection tool on June 8, 2026.

Affected Versions

Technical Details

The ucs-update service exposes a package-update endpoint that accepts a package name parameter. The vulnerable handler passes the parameter directly into a shell command without sanitization or allowlist validation:

sudo /usr/bin/uos runnable latest-versions <package-name>

An attacker injects shell metacharacters (;, &&, `) into the package name to execute arbitrary OS commands. Since the endpoint is an internal service route — normally protected by authentication — exploitation requires first bypassing authentication via CVE-2026-34908.

The ucs-update account holds passwordless sudo privileges over /usr/bin/dpkg, /bin/chmod, /bin/systemctl, and /usr/bin/uos. An attacker escalates to root by crafting a malicious .deb package whose postinst script runs arbitrary commands, then installing it via the passwordless dpkg sudo grant.

The patch in UniFi OS Server 5.0.8 addresses this in three ways:

1. Replaces shell command invocation with an argument-array execution pattern, eliminating shell interpretation entirely
2. Adds a strict package-name allowlist
3. Removes /usr/bin/dpkg and /bin/chmod from the passwordless sudoers configuration

Discovery

CVE-2026-34910 was reported by John Carroll through Ubiquiti's HackerOne bug bounty program. Ubiquiti credited Carroll in Security Advisory Bulletin 064, published May 21–22, 2026.

Exploitation Context

CISA's KEV designation confirms exploitation in the wild. The complete attack chain requires no credentials, no user interaction, and works against any internet-accessible UniFi OS instance running a vulnerable version:

1. CVE-2026-34908 — Auth bypass: percent-encoded URI passes the auth gateway, normalized URI routes to a protected internal service
2. CVE-2026-34909 — Path traversal: read signing keys, credentials, TLS keys from the underlying filesystem
3. CVE-2026-34910 (this CVE) — Command injection at the package-update endpoint → root RCE via malicious .deb

End-to-end, an attacker gains root-level access to an appliance that may control network routing, video surveillance, physical access (door locks, NFC credentials), RADIUS authentication, and VPN endpoints. The blast radius of full compromise on a UniFi OS appliance extends to every system that trusts it for authentication or network access.

Bishop Fox highlighted a critical post-patch limitation: "The fix closes the way in, but it does not reach back and undo what an attacker already did with root on an instance that was exposed beforehand." Previously compromised instances may retain persistence through modified startup scripts, installed backdoor packages, or stolen signing keys — none of which the firmware update removes.

Remediation

1. Update UniFi OS immediately to the patched version for your hardware (see Affected Versions table above).
2. Restrict management interface access — do not expose UniFi OS management to the internet; require VPN for all remote administration.
3. Use the Bishop Fox detection tool (github.com/BishopFox/CVE-2026-34908-check) to verify whether your instance was or is vulnerable.
4. Check for installed backdoor packages — run dpkg -l and audit recently installed packages, particularly those installed near the vulnerability window. Remove any unexpected entries.
5. Review sudoers and startup scripts — check /etc/sudoers.d/, systemd unit files, and cron jobs for unauthorized modifications made post-compromise.
6. Rotate all credentials and key material — admin passwords, TLS certificates, cloud tokens, and signing keys. Contact Ubiquiti support for appliance-specific signing key rotation procedures.
7. Audit connected systems — as the network gateway, a compromised UniFi OS appliance may have tampered with firewall rules, VPN configurations, or RADIUS settings; review all downstream trust relationships.
8. Consider factory reset — if compromise cannot be ruled out and the environment is high-sensitivity, a factory reset followed by a clean configuration restore is the only way to ensure no attacker persistence remains.