What is CVE-2026-34908?
A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi OS devices to make unauthorized changes to the system.
Timeline
- 2026-05-22Published to the U.S. National Vulnerability Database (NVD)
- 2026-06-23Added to the CISA Known Exploited Vulnerabilities (KEV) catalog
- 2026-06-24NVD record last updated
- 2026-06-26CISA federal remediation deadline (BOD 22-01)
CISA Known Exploited Vulnerability
Ubiquiti UniFi OS Improper Access Control Vulnerability
Affected product
Ubiquiti UniFi OS
NVD also lists CPE entries for: Ui Unifi Os Server, Ui Unifi Cloud Gateway Industrial Firmware, Ui Unifi Cloud Gateway Industrial, Ui Unifi Dream Machine Firmware, Ui Unifi Dream Machine
Remediation Steps
- Apply the vendor security update for Ubiquiti UniFi OS as a priority.
- Restrict network exposure of the affected service to trusted sources until patched.
- Review logs and detections for indicators of exploitation.
- Confirm fixed versions against the official vendor advisory before deploying.
References
- https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34908
- https://nvd.nist.gov/vuln/detail/CVE-2026-34908
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Referenced in our briefings & reports
- Vulnerability Priority Report – Week 2 of July 2026 (July 13 – 19)
Browse all tracked CVEs in the defend.network CVE database →
🤖 This CVE page is generated by defend.network from NVD, CISA KEV, EPSS, and our verified daily briefings. Severity and exploitation data come from official sources; always verify remediation steps against the official vendor advisory before acting in production.