www.it-connect.fr
Critical 3-Exploit Chain Grants Root Access on UniFi OS Server
Thanks to an exploitation chain built on 3 critical security flaws, attackers can execute remote code as root on vulnerable Ubiquiti UniFi OS servers. A security alert that should prompt you to upgrade your instance to at least UniFi OS Server 5.0.8.
On May 21, 2026, Ubiquiti patched three security flaws in the UniFi OS system: CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910.
Beyond the risks associated with each of these vulnerabilities individually, a report published by Bishop Fox researchers reveals a more concerning risk. In fact, it is possible to chain the exploitation of these three vulnerabilities and thus execute remote code on the UniFi OS Server instance as root, without prior authentication.
A Web request leads to root privileges
This exploitation chain stems from a technical interpretation mismatch between two key components of Ubiquiti's system. On one side, the module responsible for validating authentication within UniFi OS analyzes the web address of the request in its raw form (raw URI). On the other, the Nginx server routes and redirects that same request based on a cleaned and standardized version (normalized URI).
By exploiting this lack of consistency, an attacker can manipulate and spoof an HTTP request. To the UniFi OS control system, the request appears to target a page or service that is publicly accessible without logging in. However, once Nginx processes and normalizes this request, it is internally redirected to a protected function.
Since the attacker has bypassed the authentication step through this request-level manipulation, they can freely access a normally protected section.
This first part of the exploitation chain relies on CVE-2026-34908 and CVE-2026-34909 to bypass authentication. The third flaw, namely CVE-2026-34910, is then exploited and allows command injection.
It is important to note that commands initially executed via CVE-2026-34910 do not have root privileges. However, Bishop Fox researchers explain that the affected service has the permissions to run commands via sudo without a password.
As a result, it is easy to obtain root permissions on the UniFi OS instance by taking advantage of this opportunity to use sudo.
"A UniFi OS server is not just a generic Linux machine; it is the network management plane of an organization, including, where these devices are deployed, its physical access doors, surveillance cameras, and the identities tied to them.", explains Bishop Fox.
Is your UniFi OS instance vulnerable?
In addition to its technical report, Bishop Fox published a detection script intended for UniFi OS server administrators. This tool is designed to send a specific request to your instance in order to test the path that enables exploitation of these three vulnerabilities.
It then classifies the target into four states: vulnerable, patched, unaffected, or inconclusive. To protect yourself, you must run at least UniFi OS Server 5.0.8. Versions 5.0.6 and earlier are vulnerable to these flaws.
The tool provided by Bishop Fox cannot detect a past attack or a compromise of your instance. It only tests the instance live.
To spot possible signs of exploitation, you can inspect your environment for:
- Requests containing the string
/api/auth/validate-sso/ - Requests sent to
ucs/update/latest_package - Suspicious child processes running under
ucs-update - Suspicious
sudocommands executed on the server.
Beyond updating, it may also be wise to check whether the damage has already been done. This can help you avoid patching a server that is already compromised.
