Critical UniFi OS Bug Lets Hackers Gain Root Without Authentication
A critical bug in the Ubiquiti UniFi OS server has been discovered, which allows attackers to execute remote code with root privileges and without authentication. This is achieved by chaining three already fixed vulnerabilities, tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, which were addressed in May and impact UniFi OS Server versions 5.0.6 and earlier.
Vulnerability Details
CVE-2026-34908 is an improper access control flaw that can allow unauthorized changes to vulnerable systems. CVE-2026-34909 is a path traversal vulnerability that can expose files on the underlying operating system. CVE-2026-34910 is a command injection flaw that can be exploited to execute commands on affected devices.
According to Bishop Fox researchers, who validated the complete attack path on a live UniFi OS Server 5.0.6 instance, CVE-2026-34908 and CVE-2026-34909 can be used to bypass authentication and reach a vulnerable endpoint, where CVE-2026-34910 enables command injection. Although the injected commands do not initially run as root, the researchers found that the affected service account's sudo privileges make privilege escalation trivial.
Root Cause and Exploit Chain
The root cause of the authentication bypass is a mismatch between how UniFi OS validates and routes incoming requests. Specifically, the authentication component evaluates the raw request URI, while Nginx routes requests based on a normalized version of the same URI. By crafting requests that appear to target an authentication-exempt endpoint in their raw form but resolve to protected internal routes after normalization, attackers can bypass authentication and reach backend services that should not be publicly accessible.
Once inside, the attackers can target a package-update endpoint with CVE-2026-34910, passing unvalidated user input into a shell command to execute arbitrary commands on the system. The injected commands execute under a highly privileged service account with passwordless sudo access to several system binaries, making escalation to root trivial.
Detection and Prevention
Bishop Fox has released a free detection script to help defenders discover if their instance is vulnerable to the unauthenticated RCE chain. The script safely sends a specially crafted request that reaches the vulnerable code path without executing any dangerous commands, and then classifies the target as “vulnerable,” “patched,” “unaffected,” or “inconclusive.”
Defenders can also look for requests containing ‘/api/auth/validate-sso/’ and monitor requests to ‘ucs/update/latest_package,’ suspicious child processes under ‘ucs-update,’ and unexpected sudo commands. Bishop Fox confirmed that the attack chain doesn’t work on UniFi OS Server 5.0.8, so users should upgrade to this release or later. However, organizations should confirm that the update is installed on a system that has not been compromised.
- Upgrade to UniFi OS Server 5.0.8 or later
- Use the detection script to identify vulnerable instances
- Monitor for suspicious requests and activity
“A UniFi OS Server is not a generic Linux box; it is the management plane for an organization’s network, including, where those devices are deployed, its physical-access doors, surveillance cameras, and the identities tied to them,” explains Bishop Fox. “Root on the appliance is administrative control over everything the console governs.”
Source: BleepingComputer