Executive Summary

On June 23^rd, 2026 CISA added three critical vulnerabilities affecting Ubiquiti UniFI to its known exploited vulnerabilities (KEV) catalog following confirmed active exploitation in the wild. Reported activity includes a Mirai/Gaafgyt botnet campaign, making immediate patching and post-compromise investigation and remediation critical for all affected organizations.

On May 21, 2026, Ubiquiti published Security Advisory Bulletin 064 (SAB-064) for Ubiquiti UniFi OS servers which identified three vulnerabilities CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS base score of 10.0. These vulnerabilities can be chained together to allow an attacker unauthenticated remote code execution with full root privileges. Ubiquti has released updates that address these vulnerabilities at the time of their initial publication.

Given these attacks grant root level privileges to an attacker with a single request, Beazley Security recommends organizations running vulnerable UniFi OS instances assume compromise, immediately patch to prevent future exploitation, pull existing OS configuration backups, and rebuild from a known-good image.

Affected Systems or Products

Mitigations / Workarounds

Ubiquiti and Beazley Security advise updating any Network instances in your UniFi console. The exploit is possible wherever a UniFi OS web interface is accessible. The default interface listens on TCP 11443. Blocking external access to it can prevent initial access to the system.

It’s advisable to not allow external network access to your UniFi Management console and rather leverage Ubiquiti’s Remote Site Management service.

Patches

Updating a Ubiquti UniFi Network Application is performed through the UniFi Portal within the Control Plane Settings.

1. 1.

   Click the settings cog in on the left-most pane.

2. 2.

   Access the “Control Plane” settings.

3. 3.

   Within the loaded pane, ensure you select “Updates”

4. 4.

   Click the “Update to X.X.X” button within the Network Application Row.

Figure 1 Update mechanism within the UniFi UI

Beazley Security also advises organizations running UniFi Management Systems enable automatic updates on their machines. This is accessible by clicking the Application row within the UI and selecting a Release Channel and an update cadence from within the UI.

Organizations which were running vulnerable instances should assume root-level compromise of the device and are recommended to perform a clean install and restoration from a known backup if possible. Given root can read UniFi’s secret store which contains signing keys, TLS keys, cloud tokens, login database entries, and network configuration materials; a rotation of all secrets on the host is required. This includes running force-logout on all sessions and resetting database credentials.

Once backups of Unifi OS are restored on a clean install, organizations must rotate the signing key for the unifi-core service as restoring updates will not automatically rotate the potentially exfiled signing key. To do so you must update the secret: value in /data/unifi-core/config/jwt.yaml with a new value which can be produced with openssl rand –hex 32

Indicators of Compromise

Ubiquiti has not released any IoCs or indicators of attack related to this vulnerability at the time of disclosure. However, given the exploit grants the attacker root-level privileges to the underlying data presented in the UI, logs and traces of compromise can be altered or removed, preventing organizations from collecting indicators. Telemetry for this attack can be linked to known threat actors (Mirai/Gaafgyt) identified from IP information and are not likely to be discoverable on a compromised host post-exploitation.

Technical Details

UniFi OS fronts its web portal with nginx and enforces authentication with auth_requests to an underlying unifi-core service. This authentication check matches the request’s raw x-original-uri in nginx but does not normalize an encoded value after routing the traffic. This allows for divergent behavior where the request is sent from nginx when a normalized value is compared to an encoded value.

An attacker can send a request to /api/aith/validate-sso/ which is exempt from the authorization flow, with a crafted payload that nginx redirects to an authorized internal route.

GET /api/auth/validate-sso/..%2f..%2f..%2fproxy/users/api/v2/ucs/update/latest_package 

Once an attacker has bypassed the authorization, a package-update route is accessible which runs unsensitized input through an sh –c shell wrapper. This allows an attacker run arbitrary commands on the host OS trivially. Furthermore, Unifi OS 5.0.8 runs these commands on a service account, which has passwordless sudo on /usr/bin/uos, /usr/bin/systemctl, /bin/chmod, and critically /usr/bin/dpkg/. Attackers can install arbitrary packages on the system which run as root, and can maintain persistence by enabling and running packages on the init system of the host with systemd.

How Beazley Security is responding

Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.

We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.

If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.

Sources

• 

  https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b

• 

  https://www.cisa.gov/known-exploited-vulnerabilities-catalog

• 

  https://bishopfox.com/blog/popping-root-on-unifi-os-server-unauthenticated-rce-chain-detection-analysis

• 

  https://github.com/BishopFox/CVE-2026-34908-check