CVE-2026-34909
CRITICAL CISA KEV EPSS 80.9%
Published May 22, 20261mo ago · Modified Jun 24, 20264d ago
10.0 CVSS 3.1
Published May 22, 2026 1mo ago
Last Modified Jun 24, 2026 4d ago
KEV Listed Jun 23, 2026 6d ago
KEV Due Jun 26, 2026 3d overdue
Description
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High
Threat Intelligence
CISA Known Exploited Overdue 3d
- Added
- Jun 23, 2026
- Due
- Jun 26, 2026
Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
EPSS Exploit Probability
80.9% percentile
Exploit & Patch Status
Actively Exploited (KEV)
Patch Available
Weaknesses 1
CWE-22 Path Traversal Resource Mgmt
Affected Products 63
| Vendor | Product | Version | Range |
|---|---|---|---|
| ui | unifi_os_server | * | <5.0.8 |
| ui | unifi_cloud_gateway_industrial_firmware | * | <5.1.12 |
| ui | unifi_cloud_gateway_industrial | * | any |
| ui | unifi_dream_machine_firmware | * | <5.1.12 |
| ui | unifi_dream_machine | * | any |
| ui | unifi_dream_machine_pro_firmware | * | <5.1.12 |
| ui | unifi_dream_machine_pro | * | any |
| ui | unifi_dream_machine_special_edition_firmware | * | <5.1.12 |
| ui | unifi_dream_machine_special_edition | * | any |
| ui | unifi_dream_machine_pro_max_firmware | * | <5.1.12 |
| ui | unifi_dream_machine_pro_max | * | any |
| ui | enterprise_fortress_gateway_firmware | * | <5.1.12 |
| ui | enterprise_fortress_gateway | * | any |
| ui | unifi_dream_wall_firmware | * | <5.1.12 |
| ui | unifi_dream_wall | * | any |
| ui | unifi_dream_router_firmware | * | <5.1.12 |
| ui | unifi_dream_router | * | any |
| ui | unifi_dream_router_7_firmware | * | <5.1.12 |
| ui | unifi_dream_router_7 | * | any |
| ui | unifi_express_7_firmware | * | <5.1.12 |
| ui | unifi_express_7 | * | any |
| ui | unifi_network_video_recorder_firmware | * | <5.1.12 |
| ui | unifi_network_video_recorder | * | any |
| ui | unifi_network_video_recorder_pro_firmware | * | <5.1.12 |
| ui | unifi_network_video_recorder_pro | * | any |
| ui | unifi_network_video_recorder_instant_firmware | * | <5.1.12 |
| ui | unifi_network_video_recorder_instant | * | any |
| ui | enterprise_network_video_recorder_firmware | * | <5.1.12 |
| ui | enterprise_network_video_recorder | * | any |
| ui | unifi_cloud_gateway_ultra_firmware | * | <5.1.12 |
| ui | unifi_cloud_gateway_ultra | * | any |
| ui | unifi_cloud_gateway_max_firmware | * | <5.1.12 |
| ui | unifi_cloud_gateway_max | * | any |
| ui | unifi_cloud_gateway_fiber_firmware | * | <5.1.12 |
| ui | unifi_cloud_gateway_fiber | * | any |
| ui | unifi_dream_router_5g_max_firmware | * | <5.1.12 |
| ui | unifi_dream_router_5g_max | * | any |
| ui | enterprise_network_video_recorder_core_firmware | * | <5.1.12 |
| ui | enterprise_network_video_recorder_core | * | any |
| ui | unifi_cloud_key_plus_firmware | * | <5.1.12 |
| ui | unifi_cloud_key_plus | * | any |
| ui | unifi_cloudkey_firmware | * | <5.1.12 |
| ui | unifi_cloudkey | * | any |
| ui | unifi_cloudkey_enterprise_firmware | * | <5.1.12 |
| ui | unifi_cloudkey_enterprise | * | any |
| ui | unifi_network_video_recorder_g2_firmware | * | <5.1.12 |
| ui | unifi_network_video_recorder_g2 | * | any |
| ui | unifi_network_video_recorder_g2_pro_firmware | * | <5.1.12 |
| ui | unifi_network_video_recorder_g2_pro | * | any |
| ui | unifi_dream_machine_beast_firmware | * | <5.1.11 |
| ui | unifi_dream_machine_beast | * | any |
| ui | unas_2_firmware | * | <5.1.10 |
| ui | unas_2 | * | any |
| ui | unas_4_firmware | * | <5.1.10 |
| ui | unas_4 | * | any |
| ui | unas_pro_firmware | * | <5.1.10 |
| ui | unas_pro | * | any |
| ui | unas_pro_4_firmware | * | <5.1.10 |
| ui | unas_pro_4 | * | any |
| ui | unas_pro_8_firmware | * | <5.1.10 |
| ui | unas_pro_8 | * | any |
| ui | unifi_express_firmware | * | <4.0.14 |
| ui | unifi_express | * | any |
References 3
- community.ui.com https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
- cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-34909
- pwndefend.com https://www.pwndefend.com/2026/06/09/cve-2026-34910-exploitation-itw-building-a-botnet-mirai/
Remediation
- community.ui.com https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b