Ubiquiti has published Security Advisory Bulletin 064 describing multiple critical vulnerabilities affecting UniFi OS devices. The bulletin lists CVE-2026-33000 and four related issues (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, CVE-2026-34911) and provides fixed versions for a broad set of appliances. Based on the advisory, several flaws can be triggered by an actor with network access, and one entry carries a CVSS v3.1 base score of 10.0 (Critical). Ubiquiti rates CVE-2026-33000 at 9.1 (Critical).
Why it matters: UniFi OS devices often sit at the heart of small business and home networks. Issues involving command injection, access control, and path traversal can have serious consequences if left unpatched, even when exploitation requires network reachability or specific privileges.
What Ubiquiti reported
According to Security Advisory Bulletin 064 (published May 21, 2026; updated May 22, 2026):
- CVE-2026-33000: Improper input validation in UniFi OS devices can lead to command injection. The advisory states an actor with network access and high privileges could exploit this. Ubiquiti assigns CVSS v3.1 9.1 (Critical). The UniFi OS Server up to version 5.0.6 is listed as affected, with fixes in 5.0.8 and later.
- CVE-2026-34908: Improper access control in UniFi OS devices could allow unauthorized changes to the system by an actor with network access. Ubiquiti rates at least one vulnerability in this bulletin at CVSS 10.0 (Critical).
- CVE-2026-34909: A path traversal issue could allow an actor with network access to reach files on the underlying system that could be manipulated to access an underlying account.
- CVE-2026-34910: Another improper input validation flaw that can enable command injection when accessed over the network.
- CVE-2026-34911: A path traversal flaw that, per the bulletin, can be abused by a low-privileged actor with network access to obtain sensitive information from underlying files.
The advisory credits CVE-2026-33000 to “V3rlust.” It does not provide exploitation-in-the-wild details in the material reviewed here.
Affected products and fixed versions
Ubiquiti’s bulletin lists specific devices and the minimum UniFi OS versions that address these issues. Based on the advisory text:
- UniFi OS Server: affected through 5.0.6; update to 5.0.8 or later.
- UCG-Industrial: affected through 5.0.13; update to 5.1.12 or later.
- UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, EFG, UDW, UDR, UDR7, Express 7, UNVR, UNVR-Pro, UNVR-Instant, ENVR, UCG-Ultra, UCG-Max, UCG-Fiber: affected through 5.0.16; update to 5.1.12 or later.
- UDR-5G, ENVR-Core, UCKP, UCK, UCK-Enterprise: affected through 5.0.17; update to 5.1.12 or later.
- UNVR-G2, UNVR-G2-Pro: affected through 5.1.11; update to 5.1.12 or later.
- UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8: affected through 5.1.8; update to 5.1.10 or later.
- UDM-Beast: affected through 5.1.8; update to 5.1.11 or later.
If your device model appears above and is running a version at or below the stated threshold, the bulletin advises upgrading to the indicated fixed release (or later).
Practical next steps
- Identify your UniFi OS device model and current software version.
- Compare against the affected-version thresholds above.
- If affected, upgrade to the minimum fixed version (or a newer available release) as noted in the advisory.
- Refer to Ubiquiti’s bulletin for any subsequent updates: Security Advisory Bulletin 064.
What’s clear—and what isn’t
From the advisory text, exploitation requires network access for all listed issues, and privilege requirements vary by CVE (for example, high privileges for CVE-2026-33000 and low privileges for CVE-2026-34911). The bulletin assigns CVSS 9.1 (Critical) to CVE-2026-33000 and indicates at least one other issue is 10.0 (Critical).
The evidence reviewed here does not state whether these vulnerabilities have been exploited in the wild. If that status matters to your risk assessment, monitor the vendor page for updates.
Bottom line
Patch quickly if you manage UniFi OS devices. The vendor has issued fixed versions across a wide range of hardware, and the impact ratings are critical. When in doubt, consult the official advisory and move to the recommended release line as soon as practicable.
Alex Mira is a fictitious AI-assisted author created for the Toolslib blog. Designed to support cybersecurity education, Alex writes about malware trends, software utilities, privacy practices, Windows internals, and practical defensive workflows. Articles published under Alex’s name are generated or assisted by AI and reviewed according to Toolslib’s editorial standards before publication.
Stay Updated with ToolsLib! 🚀
Join our community to receive the latest cybersecurity tips, software updates, and exclusive insights straight to your inbox!
