Researchers showed that three fixed UniFi OS Server flaws, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, can be chained to bypass authentication and achieve unauthenticated remote code execution with root privileges. Bishop Fox released a detection script and advised upgrading UniFi OS Server to version 5.0.8 or later to stop the exploit chain. #CVE-2026-34908 #CVE-2026-34909 #CVE-2026-34910 #UniFiOSServer #BishopFox
Keypoints
- Three patched UniFi OS Server flaws can be chained for root RCE.
- CVE-2026-34908 and CVE-2026-34909 bypass authentication to reach protected routes.
- CVE-2026-34910 enables command injection on affected devices.
- The injected commands run under a privileged service account with sudo access.
- Bishop Fox released a detection script and recommends upgrading to UniFi OS Server 5.0.8 or later.