**Ubiquiti** has released security updates to patch three maximum severity vulnerabilities in UniFi OS that can be exploited by remote attackers without privileges. UniFi OS is a unified operating system that powers UniFi Consoles and helps manage IT infrastructure, including networking, security, and other services, as well as UniFi applications such as UniFi Network, UniFi Protect, UniFi Access, UniFi Talk, and UniFi Connect. ### Critical Vulnerabilities Addressed The first flaw (**CVE-2026-34908**) enables attackers to make unauthorized changes to targeted systems by exploiting an Improper Access Control weakness in UniFi OS. The second (**CVE-2026-34909**) allows them to access files on the underlying system by abusing a Path Traversal vulnerability, which could be manipulated to access an underlying account. A third maximum severity security issue (**CVE-2026-34910**) makes it possible for malicious actors to launch a command injection attack after gaining network access by exploiting an Improper Input Validation vulnerability. On Thursday, **Ubiquiti** also patched a second critical command injection flaw (**CVE-2026-33000**) and a high-severity information disclosure (**CVE-2026-34911**), both affecting Unifi OS devices. ### Exploitation & Exposure **Ubiquiti** has yet to disclose whether any of the five vulnerabilities were exploited in the wild before disclosure, but shared that they can be exploited in low-complexity attacks and were reported through its **HackerOne** bug bounty program. At the moment, threat intelligence company **Censys** is tracking nearly 100,000 Internet-exposed UniFi OS endpoints, most of them (nearly 50,000 IP addresses) found in the United States. However, there is currently no information on how many have been secured against potential attacks targeting the vulnerabilities **Ubiquiti** patched this week.  *UniFi OS endpoints exposed online (Censys)* ### Past Vulnerabilities and Botnet Activity In March, **Ubiquiti** patched another maximum-severity flaw (**CVE-2026-22557**) in the UniFi Network Application that may allow attackers to take over user accounts, as well as a vulnerability (**CVE-2026-22558**) that can be exploited to escalate privileges. **Ubiquiti** products have been targeted by both state-backed hacking groups and cybercriminals in recent years, in campaigns that hijacked them to build botnets that concealed the threat actors' malicious activity. For instance, in February 2024, the **FBI** took down **Moobot**, a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies. Four years ago, in April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) also added a critical command injection flaw (**CVE-2010-5330**) in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities and ordered federal agencies to secure their devices within three weeks.