CVE-2026-34909: Ubiquiti UniFi OS Path Traversal Vulnerability
Summary
Ubiquiti UniFi OS has a path traversal vulnerability that could allow an attacker on the network to access and manipulate system files, potentially leading to account compromise. Users are advised to apply vendor-provided mitigations and follow CISA's guidance on prioritizing security updates.
IFF Assessment
This vulnerability allows for unauthorized access to system files, which is a direct threat to the integrity and confidentiality of the system.
Severity
The CVSS score is estimated as High (8.8) due to the attack vector being on the network (AV:N), requiring no privileges (PR:N), and having no user interaction (UI:N). The impact is significant (Scope: Unchanged, Confidentiality: High, Integrity: High, Availability: High) as it allows file access and manipulation on the underlying system, which could lead to account takeover.
CISA KEV: Listed as actively exploited. Federal patch due: June 26, 2026. Known ransomware use: Unknown.
Defender Context
This vulnerability in Ubiquiti UniFi OS allows network-level attackers to access sensitive files, posing a significant risk of system compromise and potential account takeover. Defenders should prioritize applying vendor-released patches or mitigations as soon as possible and ensure compliance with CISA's directives on risk-based patching.