There's an uncomfortable truth about the network gear humming away in the closet at your office: it is one of the most powerful — and most overlooked — computers you own. This week we got a sharp reminder of why that matters.
Three flaws in Ubiquiti's UniFi OS — the software that runs on UniFi gateways, network controllers, camera recorders, and door-access hubs — are being actively exploited right now. All three carry the maximum possible severity score, and CISA has already ordered federal agencies to patch them. If your business runs UniFi (a lot of Texas small businesses do, because it's good, affordable gear), this one is for you.
## ⚡ The 60-Second Version
>
- What: Three critical vulnerabilities in Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS 10.0 (the highest score there is). Chained together, they let an attacker on the network take complete control of the device — no password required. They're being exploited in the wild, and attackers have been seen creating hidden admin accounts.
- Fix: Update UniFi to the latest version now. Ubiquiti released the fix on May 21, 2026 (self-hosted UniFi OS Server was patched in version 5.0.8). Then check your admin accounts for anything you don't recognize.
- By when: Now. CISA's deadline for federal agencies was June 26, 2026 — that's how urgent this is.
What actually broke
Ubiquiti's UniFi line is everywhere in small business — the sleek gateways, the wall-mounted access points, the Protect cameras, the door readers. The "brain" tying all of that together is software called UniFi OS, and that's where the trouble is.
Security researchers found three separate weaknesses that, on their own, sound modest. Strung together, they're a master key:
- CVE-2026-34908 lets an attacker slip past the login screen entirely — no username or password needed.
- CVE-2026-34909 lets them read and write files on the device they were never supposed to touch.
- CVE-2026-34910 lets them run their own commands on the box.
Researchers at the security firm Bishop Fox showed that you can chain these three into full remote control of the device, running with the highest privileges. In plain terms: someone who can reach your UniFi controller can quietly own it. And this isn't theoretical — investigators have already seen attackers exploiting these flaws to create rogue administrator accounts, giving themselves a permanent back door.
Why this one matters more than most
Most vulnerabilities live inside one application — a web browser, an email server, an accounting package. This one lives in the device that sees and steers all of your network traffic.
Think about what your UniFi gear actually does. It's the front door between your office and the internet. It often runs your Wi-Fi, your security cameras, and sometimes the locks on your physical doors. An attacker who controls that box doesn't just get one foothold — they get a vantage point over everything, plus the ability to watch traffic, pivot to your servers and workstations, and disable the very cameras that would have recorded them.
The fact that CISA added all three to its Known Exploited Vulnerabilities catalog on June 23 and gave federal agencies only until June 26 to fix them tells you everything about the urgency. That catalog is reserved for flaws that are already being used in real attacks, not ones that might be someday.
Who's affected
If you have Ubiquiti UniFi equipment, assume you're in scope until you've confirmed otherwise. The affected products span the UniFi OS family — Cloud Gateways and consoles, the UniFi Network controller, Protect camera recorders (NVRs), Access door-control hubs, and Talk appliances — as well as the self-hosted UniFi OS Server software some businesses run on their own machine.
There's one detail worth sitting with: many UniFi devices are reachable through Ubiquiti's remote-management features so you can check your cameras or network from your phone. That convenience can also widen the door for an attacker if your gear is unpatched. Exposure isn't limited to businesses that deliberately opened ports on their firewall.
What this means for your business
Here's the prioritized, do-it-this-week list:
- Update now. Open your UniFi controller or the UniFi mobile app and apply the latest available updates to every UniFi device and to the controller software itself. If you self-host UniFi OS Server, get to at least version 5.0.8. Don't wait for the next maintenance window — this is the maintenance window.
- Check your admin accounts. Because attackers have been creating hidden admin users, go into your UniFi settings and review every administrator account. If you see one you don't recognize, remove it and treat the device as potentially compromised — change passwords and investigate.
- Turn on automatic updates for your UniFi gear if you haven't. The whole reason this is a five-alarm fire for some shops is that their controllers hadn't been touched in months.
- Lock down remote access. If you don't truly need to manage your network from outside the office, disable remote/cloud access or at least require multi-factor authentication on your Ubiquiti account.
- Don't stop at UniFi. Use this as a prompt to inventory every internet-facing device you own — firewalls, cameras, VPNs, that one old server in the corner. The gear we forget about is exactly the gear attackers count on.
How BVTech helps
If BVTech manages your network, you can exhale: we track CISA's exploited-vulnerability list daily, and our managed clients' UniFi and firewall gear is patched and monitored as part of the service — including a review for any unauthorized admin accounts after an incident like this. This is the quiet work that doesn't show up on an invoice line but is exactly what you're paying for.
If you're not a managed client and you're staring at a UniFi controller right now wondering when it was last updated — that uncertainty is the risk. We're glad to do a no-pressure review of your network gear and your overall exposure. You can book a call, look at our cybersecurity services, or run a quick self-check with our security scoreboard.
The devices that protect your business deserve the same care as the data they protect. A ten-minute update today is a lot cheaper than the alternative.
— Jordan Polasek · Founder, BVTech LLC