GoKawiilAttackers can chain three already fixed vulnerabilities in the Ubiquiti UniFi OS server to execute remote code with root privileges and without authentication.
The security issues are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910. They have been addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.
While all three flaws received the maximum severity rating despite their exploitation requiring access to the network, the vendor's advisory did not mention that they could be chained for remote code execution.
CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems
CVE-2026-34909 is a path traversal vulnerability that can expose files on the underlying operating system
CVE-2026-34910 is a command injection flaw that can be exploited to execute commands on affected devices
Additional technical details from Bishop Fox researchers, who validated the complete attack path on a live UniFi OS Server 5.0.6 instance, show that CVE-2026-34908 and CVE-2026-34909 can be used to bypass authentication and reach a vulnerable endpoint, where CVE-2026-34910 enables command injection.
Although the injected commands do not initially run as root, the researchers found that the affected service account's sudo privileges make privilege escalation trivial.
According to Bishop Fox, no credentials, user interaction, or prior access are required to obtain a root shell on the target.
“A UniFi OS Server is not a generic Linux box; it is the management plane for an organization’s network, including, where those devices are deployed, its physical-access doors, surveillance cameras, and the identities tied to them,” explains Bishop Fox.
... continue reading