Security researchers at Bishop Fox discovered and reported three maximum-severity vulnerabilities in Ubiquiti’s UniFi OS — the software that runs UniFi network hubs, routers, and consoles used by millions of homes and small businesses. Chained together, the three flaws (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) allow an attacker on the internet to take full root-level control of the device without needing a username or password. That means a hacker could access everything managed through your UniFi system: your Wi-Fi network, security cameras, door access controls, and stored identity data. Ubiquiti patched the vulnerabilities in May 2026, and no active exploitation has been confirmed so far.
The attack works by tricking the UniFi OS into treating a crafted web request as if it came from an administrator. Once inside, attackers can inject commands into a software update function that runs with the highest possible system privileges. Roughly 100,000 UniFi consoles are exposed directly to the internet, with about half of those located in the United States. If your device hasn’t updated automatically, now is the time to check.
How to check if you’re affected
Affected versions include UniFi OS Server 5.0.6 and earlier — any UniFi Console running this version or older is vulnerable and should be updated immediately.
- Log in to your UniFi console (typically at
unifi.ui.comor your local controller IP). - Navigate to Settings → System → Updates and install any available UniFi OS update.
- Confirm your UniFi OS Server is at version 5.0.8 or later after updating.
- If you manage your UniFi console remotely, ensure it is not exposed directly to the internet — place it behind a firewall or VPN for extra protection.