Critical UniFi OS Auth Bypass Flaws Lead to Unauthenticated Root RCE

Ubiquiti disclosed three critical UniFi OS Server flaws (CVE-2026-34908/34909/34910) that together enable a single crafted HTTP request to gain unauthenticated root RCE; Bishop Fox demonstrated the exploit chain on version 5.0.6. Attackers can bypass the authentication gateway using percent-encoded URIs, trigger command injection in the package-update service, escalate via passwordless sudo to install malicious .deb packages, and exfiltrate persistent credentials and keys—potentially compromising network management, cloud access, databases, and physical security systems. Administrators are instructed to immediately upgrade to the fixed versions and treat externally exposed unpatched instances as fully compromised, rebuild from known-good images, and rotate keys and secrets.