← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-34910 · CWE-20 · Disclosed 2026-05-22

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found…

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a loaded nail gun lying inside the wiring closet, not a sniper rifle on the open internet

CVE-2026-34910 is a command-injection bug in UniFi OS caused by improper input validation. Ubiquiti and the CVE record describe it as exploitable by an actor with access to the network, and the affected population is broad: self-hosted UniFi OS Server before 5.0.8, most UniFi consoles before 5.1.12, UDM-Beast before 5.1.11, and UNAS variants before 5.1.10.

The vendor's 10.0/CRITICAL score reflects the technical outcome in a vacuum: no auth, no user interaction, and likely full command execution on an infrastructure device. In real enterprise conditions, the decisive friction is that the attacker must first reach the UniFi OS management surface from an internal segment or from an explicitly exposed management interface, which makes this materially less dangerous than a broadly reachable internet RCE but still very serious because compromise lands on a gateway/controller with oversized blast radius.

"Full device compromise is real, but the attacker first needs network reachability to the management plane."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach the UniFi OS management plane with nmap or masscan

The attacker first identifies a reachable UniFi OS console or self-hosted UniFi OS Server by scanning internal subnets or finding a directly exposed management interface. The practical entry condition is not 'internet at large'; it is network adjacency or exposed admin plane reachability, which is a narrower and more realistic reading than the raw AV:N label suggests.
Conditions required:
  • Attacker has access to the same internal network, routed segment, or an internet-exposed UniFi management interface
  • A vulnerable UniFi OS build is still running
  • The management service is reachable through local policy, NAT, relay, or direct exposure
Where this breaks in practice:
  • Well-run enterprises do not expose router/controller admin interfaces directly to the internet
  • Segmentation or ACLs often block lateral access to infrastructure management
  • Remote administration via VPN or brokered cloud access reduces direct reachability
Detection/coverage: External attack-surface tools will find directly exposed consoles; internal scanners can find reachable web/admin surfaces, but most commodity vuln scanners will only confirm version/exposure, not safe exploitability.
STEP 02

Probe the vulnerable input with curl, httpie, or Burp Suite

Once the service is reachable, the attacker sends crafted input to the vulnerable request path and tests whether validation fails open. No public, well-known weaponized PoC was located during this assessment, so exploitation currently looks like a custom HTTP request workflow rather than a turnkey kit.
Conditions required:
  • Reachable vulnerable endpoint on UniFi OS
  • Request path or parameter can be hit without prior authentication
  • Payload handling reaches the vulnerable validation logic
Where this breaks in practice:
  • Lack of public exploit details slows low-skill abuse
  • Reverse proxies, input normalization, or vendor-side request changes may alter exploit reliability
  • Cloud-relayed administration may not expose the same attack path as direct local management
Detection/coverage: WAF coverage is inconsistent because this is an appliance management surface, not a typical web app behind enterprise WAF. HTTP logs on the appliance may show malformed requests if log retention is enabled.
STEP 03

Execute commands on the appliance with a custom payload

Successful command injection gives the attacker code execution in the security boundary of the UniFi OS device. On these platforms that often means compromise of a controller, gateway, NVR, or storage console that sits in a privileged network position and may hold credentials, adoption secrets, config data, or trust relationships to downstream managed services.
Conditions required:
  • Exploit payload successfully reaches a command-execution sink
  • Underlying process has sufficient privileges on the appliance
Where this breaks in practice:
  • Process privilege level is not fully documented in the advisory
  • Exploit chains may differ across device families and software tracks
Detection/coverage: EDR is usually absent on UniFi appliances, so post-exploitation detection is weak. Network IDS may catch reverse shells or unusual egress, but only after code execution succeeds.
STEP 04

Abuse the controller position using ssh, scp, or built-in system tooling

From the compromised appliance, the attacker can change network configuration, pivot across managed segments, capture secrets, or disrupt routing and surveillance functions. This is where the bug earns its HIGH reassessed score: the initial reachability requirement narrows exposure, but the blast radius of a successful compromise is disproportionately large.
Conditions required:
  • Compromised UniFi OS device manages routing, switching, surveillance, or identity-relevant services
  • The appliance has network paths into additional enterprise segments
Where this breaks in practice:
  • Zero-trust segmentation can limit east-west pivoting
  • Secrets may be rotated or separately vaulted
  • Some deployments use UniFi only for a narrow edge function, limiting tenant-wide impact
Detection/coverage: Look for config drift, new admins, firewall/routing changes, unexpected package or process activity, and unusual outbound connections from the console.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo authoritative evidence of active exploitation was found in CISA KEV, the CVE enrichment, or Ubiquiti's bulletin at time of assessment.
Proof-of-concept availabilityNo widely cited public GitHub PoC or Metasploit module was found. Current abuse likely requires a custom HTTP exploit rather than copy-paste tooling.
EPSS0.00104 (*user-provided intel*), which is low and argues against emergency fleet-wide disruption absent exposure.
KEV statusNot listed in CISA Known Exploited Vulnerabilities as of this assessment.
CVSS vector reality checkCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H captures the worst-case outcome, but the advisory text adds an important limiter: attacker must have access to the network.
Affected versionsAuthoritative CVE data shows UniFi OS Server < 5.0.8, most consoles and gateways < 5.1.12, UDM-Beast < 5.1.11, and UNAS family < 5.1.10.
Fixed versionsUse the vendor release tracks tied to Bulletin 064: UniFi OS Server 5.0.8, Cloud Keys / major console track 5.1.12, UNAS 5.1.10, and UDM-Beast 5.1.11 or later.
Exposure dataNo primary-source count for this CVE's exposed population was found. As a proxy, Censys observed 87,196 exposed hosts for the related UniFi Network Application ecosystem in March 2026; that is an inference, not a direct count of CVE-2026-34910 exposure.
Disclosure timelineUbiquiti Bulletin 064 was published 2026-05-21 and updated 2026-05-22; the CVE record shows publication on 2026-05-22.
ReporterUbiquiti's discussion thread credits John Carroll for CVE-2026-34910.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.3/10)

The single biggest downgrade factor is the prerequisite that the attacker must first reach the UniFi OS management plane from the network or through an intentionally exposed admin surface. That sharply reduces the reachable population compared with a true internet-wide unauthenticated RCE, but a successful hit still compromises a high-leverage infrastructure device with outsized blast radius.

HIGH Impact once exploited
MEDIUM Real-world exposure and exploitability across enterprise deployments
MEDIUM Absence of active exploitation evidence at assessment time

Why this verdict

  • Downgrade for attacker position: the advisory text requires network access, which implies internal foothold, same-segment reachability, or an already exposed management interface rather than blind internet reach.
  • Not downgraded further because blast radius is ugly: UniFi OS often sits on gateways, controllers, NVRs, and storage appliances, so command injection can hand over a privileged infrastructure node rather than a single low-value app.
  • Downgrade for exploitation reality: no KEV listing, no authoritative in-the-wild reporting, and a very low user-provided EPSS all reduce urgency versus genuinely burning edge-device RCEs.
  • Still HIGH because exposure can be self-inflicted at scale: some organizations do expose UniFi admin surfaces or allow broad lateral access to them, and those deployments erase most of the friction.
  • Vendor 10.0 overstates the median deployment: CVSS models impact well, but it does not price in how many enterprises actually make the UniFi management plane reachable to anonymous remote attackers.

Why not higher?

I am not keeping this at CRITICAL because the vendor narrative itself inserts a gating condition: the attacker needs access to the network. That means many real deployments require prior compromise, internal adjacency, or a deliberate admin-plane exposure mistake before exploitation is even possible. There is also no authoritative evidence yet that this is being exploited in the wild.

Why not lower?

I am not pushing this to MEDIUM because the exploit path still appears unauthenticated once the service is reachable, and the target is not a trivial workstation app but a network-control appliance. When you lose a gateway or controller, the downstream consequences can include credential exposure, routing changes, surveillance disruption, and lateral movement opportunities across multiple managed services.

05 · Compensating Control

What to do — in priority order.

  1. Remove direct admin-plane exposure — Block inbound internet access to UniFi OS management interfaces and require VPN or tightly controlled brokered access instead. This cuts out the easiest attack path and, for a HIGH verdict, should be deployed within 30 days.
  2. Restrict lateral access to management interfaces — Enforce ACLs so only dedicated admin jump hosts and management VLANs can reach UniFi OS consoles. This turns 'any compromised workstation on the LAN' into 'attacker also needs access to a privileged admin segment,' and should be completed within 30 days.
  3. Monitor for config and admin drift — Alert on new local admins, remote-access setting changes, firewall/routing changes, unexpected outbound connections, and package/process anomalies on UniFi appliances. This helps catch successful exploitation early and should be enabled within 30 days.
  4. Rotate secrets tied to exposed consoles — Where a vulnerable console was internet-exposed or broadly reachable internally, rotate stored credentials, API tokens, and any downstream trust material after patching because command execution could have exposed them. Prioritize this within 30 days for high-risk sites.
What doesn't work
  • Relying on MFA alone does not stop unauthenticated command injection if the vulnerable endpoint is reachable before login.
  • Assuming a generic perimeter WAF protects you is weak here because many UniFi consoles are not fronted by enterprise WAF infrastructure at all.
  • Depending on EDR is not enough because these appliances typically do not run your normal endpoint stack.
06 · Verification

Crowdsourced verification payload.

Run this on the target UniFi OS host over SSH, not from your scanner workstation. Invoke it as sudo bash verify-cve-2026-34910.sh --product auto or override detection with --product server|default|unas|udm-beast; it needs read access to local version files and may need sudo on hardened appliances.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify-cve-2026-34910.sh
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

set -u

PRODUCT_MODE="auto"
VERSION=""
MODEL=""

while [ $# -gt 0 ]; do
  case "$1" in
    --product)
      PRODUCT_MODE="${2:-auto}"
      shift 2
      ;;
    --version)
      VERSION="${2:-}"
      shift 2
      ;;
    -h|--help)
      echo "Usage: $0 [--product auto|server|default|unas|udm-beast] [--version X.Y.Z]"
      exit 2
      ;;
    *)
      echo "UNKNOWN: unsupported argument $1"
      exit 2
      ;;
  esac
done

read_version() {
  if [ -n "$VERSION" ]; then
    echo "$VERSION"
    return 0
  fi

  local candidates=(
    /etc/version
    /usr/lib/version
    /mnt/.rofs/etc/version
    /data/unifi-os/unifi-core/config/version
  )

  for f in "${candidates[@]}"; do
    if [ -r "$f" ]; then
      local v
      v=$(grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' "$f" 2>/dev/null | head -n1)
      if [ -n "$v" ]; then
        echo "$v"
        return 0
      fi
    fi
  done

  if command -v ubnt-device-info >/dev/null 2>&1; then
    local v
    v=$(ubnt-device-info firmware 2>/dev/null | grep -Eo '[0-9]+\.[0-9]+\.[0-9]+' | head -n1)
    if [ -n "$v" ]; then
      echo "$v"
      return 0
    fi
  fi

  return 1
}

read_model() {
  if command -v ubnt-device-info >/dev/null 2>&1; then
    ubnt-device-info model 2>/dev/null | tr '[:upper:]' '[:lower:]'
    return 0
  fi

  for f in /proc/device-tree/model /tmp/sysinfo/model; do
    if [ -r "$f" ]; then
      tr '\0' '\n' < "$f" 2>/dev/null | head -n1 | tr '[:upper:]' '[:lower:]'
      return 0
    fi
  done

  return 1
}

ver_lt() {
  # returns 0 if $1 < $2
  [ "$(printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1)" != "$2" ] && [ "$1" != "$2" ]
}

classify_product() {
  local mode="$1"
  local model="$2"

  if [ "$mode" != "auto" ]; then
    echo "$mode"
    return 0
  fi

  case "$model" in
    *server*) echo "server" ;;
    *unas*) echo "unas" ;;
    *beast*) echo "udm-beast" ;;
    *) echo "default" ;;
  esac
}

VERSION=$(read_version) || {
  echo "UNKNOWN: could not determine UniFi OS version"
  exit 2
}

MODEL=$(read_model || true)
PRODUCT=$(classify_product "$PRODUCT_MODE" "$MODEL")

THRESHOLD=""
case "$PRODUCT" in
  server)
    THRESHOLD="5.0.8"
    ;;
  unas)
    THRESHOLD="5.1.10"
    ;;
  udm-beast)
    THRESHOLD="5.1.11"
    ;;
  default)
    THRESHOLD="5.1.12"
    ;;
  *)
    echo "UNKNOWN: unsupported product class $PRODUCT"
    exit 2
    ;;
esac

if ver_lt "$VERSION" "$THRESHOLD"; then
  echo "VULNERABLE: detected version $VERSION, product class $PRODUCT, fixed at $THRESHOLD or later"
  exit 1
else
  echo "PATCHED: detected version $VERSION, product class $PRODUCT, threshold $THRESHOLD"
  exit 0
fi
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, identify every UniFi OS console and self-hosted UniFi OS Server, then immediately separate the ones with internet-exposed or broadly reachable management planes from the rest. For this HIGH reassessment, use the noisgate mitigation SLA to remove direct exposure and tighten management-plane ACLs within 30 days, and use the noisgate remediation SLA to move affected systems to the vendor-fixed versions within 180 days; if a console is already public-facing or reachable from untrusted internal segments, treat it as the front of the queue rather than routine backlog work.

Sources

  1. Ubiquiti Security Advisory Bulletin 064
  2. Ubiquiti Bulletin 064 discussion with CVE credits and fixed-version summary
  3. Ubiquiti UniFi OS Server 5.0.8 release
  4. Ubiquiti UniFi OS Cloud Keys 5.1.12 release
  5. NVD entry for CVE-2026-34910
  6. CISA Known Exploited Vulnerabilities Catalog
  7. Ubiquiti required ports reference
  8. Censys advisory on exposed UniFi ecosystem hosts (exposure proxy)
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.