Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-34910 -- CVSS 10.0 Vulnerability Briefing

CVE-2026-34910 | CVSS 10.0 (Critical) | Exploit: PoC available

What Is It

CVE-2026-34910 is a critical command injection vulnerability affecting UniFi OS devices, exploitable by any attacker with network access to the affected device.

Technical Detail

The flaw stems from improper input validation within UniFi OS, allowing an attacker to inject and execute arbitrary operating system commands by sending crafted input over the network. No authentication requirement has been specified in the available disclosure, meaning the attack surface may be accessible to unauthenticated network-adjacent or remote actors. Successful exploitation results in remote code execution on the underlying device, with potential for full system compromise depending on the privilege context of the affected process.

Exploitation Status

A proof-of-concept exploit is publicly available. This CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog, meaning active in-the-wild exploitation has not been formally confirmed by CISA as of this writing. However, the availability of a PoC combined with the CVSS 10.0 score significantly lowers the barrier for exploitation and warrants urgent attention.

Who Is Targeting This

No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability as of May 23, 2026.

What To Do

Apply any available UniFi OS patches from Ubiquiti immediately, prioritizing internet-facing and network-edge UniFi devices. If a patch is not yet available, restrict management interface access to trusted internal networks or VPN-only segments and block direct network exposure of UniFi OS management ports at the perimeter. Monitor for anomalous command execution, unexpected outbound connections, or unusual process spawning from UniFi OS processes as potential indicators of exploitation. Given the CVSS 10.0 score and public PoC availability, treat this as a high-priority patch cycle regardless of KEV status.