Cyber Resilience

CVE-2026-34910

CriticalCISA KEVActive ExploitationPublic PoCUpdated

Published: 22 May 2026

Published
22 May 2026
Modified
24 June 2026
KEV Added
23 June 2026
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.7855 99.5th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-34910 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Ui Unifi Os Server. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).

Deeper analysis

A malicious actor with network access could exploit an Improper Input Validation vulnerability (CWE-20) in UniFi OS devices to perform command injection. The flaw carries a CVSS 3.1 base score of 10.0, reflecting network attack vector, low complexity, no required privileges or user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An unauthenticated attacker reachable over the network can supply crafted input that results in arbitrary command execution on the affected device, potentially allowing full compromise of the UniFi OS system and any connected infrastructure.

Ubiquiti has published Security Advisory Bulletin 064, available at the referenced community.ui.com URL, which addresses the issue for UniFi OS devices. The EPSS score remains flat at 0.1815 with no material increase observed since disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

CWE(s)
KEV Date Added
23 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Network-accessible improper input validation enabling remote command injection directly maps to public-facing app exploitation (T1190) and arbitrary command execution via shell (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34909Same product: Ui Enterprise Fortress Gatewayboth on KEV
CVE-2026-34908Same product: Ui Enterprise Fortress Gatewayboth on KEV
CVE-2026-34911Same product: Ui Enterprise Fortress Gateway
CVE-2026-33000Same product: Ui Unifi Os Server
CVE-2025-8876Shared CWE-20both on KEV
CVE-2026-6973Shared CWE-20both on KEV
CVE-2025-20393Shared CWE-20both on KEV
CVE-2026-32201Shared CWE-20both on KEV
CVE-2025-54236Shared CWE-20both on KEV
CVE-2026-34197Shared CWE-20both on KEV

Affected Assets

ui
unifi os server
≤ 5.0.8
ui
unifi cloud gateway industrial firmware
≤ 5.1.12
ui
unifi dream machine firmware
≤ 5.1.12
ui
unifi dream machine pro firmware
≤ 5.1.12
ui
unifi dream machine special edition firmware
≤ 5.1.12
ui
unifi dream machine pro max firmware
≤ 5.1.12
ui
enterprise fortress gateway firmware
≤ 5.1.12
ui
unifi dream wall firmware
≤ 5.1.12
ui
unifi dream router firmware
≤ 5.1.12
ui
unifi dream router 7 firmware
≤ 5.1.12
+21 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all input to the UniFi OS interfaces, blocking the crafted payloads that trigger command injection.

prevent

Enforces boundary protection and network segmentation so that unauthenticated attackers cannot reach the vulnerable UniFi OS services.

prevent

Mandates timely application of the vendor patch published in Security Advisory Bulletin 064, eliminating the improper-input-validation flaw.

References