Skip to content

Critical UniFi OS Bug Allows Hackers to Gain Root Without Authentication

A critical vulnerability has been discovered in the UniFi OS server, allowing hackers to gain root access without any form of authentication. The bug, tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, was previously fixed in May but can be chained together for remote code execution.

The vulnerability affects UniFi OS Server versions 5.0.6 and earlier, with the bug being a combination of three separate flaws: an improper access control flaw (CVE-2026-34908), a path traversal vulnerability (CVE-2026-34909), and a command injection flaw (CVE-2026-34910). These vulnerabilities were previously patched in May but can still be exploited by chaining them together.

According to Bishop Fox researchers, who validated the attack path on a live UniFi OS Server 5.0.6 instance, attackers can bypass authentication and reach a vulnerable endpoint using CVE-2026-34908 and CVE-2026-34909. The command injection flaw (CVE-2026-34910) then enables remote code execution.

The researchers found that the injected commands do not initially run as root but the affected service account’s sudo privileges make privilege escalation trivial. No credentials, user interaction, or prior access are required to obtain a root shell on the target.

A UniFi OS Server is not just a generic Linux box; it is the management plane for an organization’s network, including physical-access doors, surveillance cameras, and identities tied to them. Root on the appliance is administrative control over everything the console governs.

The root cause of the authentication bypass is a mismatch between how UniFi OS validates and routes incoming requests. By crafting requests that appear to target an authentication-exempt endpoint in their raw form but resolve to protected internal routes after normalization, attackers can bypass authentication and reach backend services that should not be publicly accessible.

Once inside, the attackers can target a package-update endpoint with CVE-2026-34910, passing unvalidated user input into a shell command to execute arbitrary commands on the system. The injected commands execute under a highly privileged service account with passwordless sudo access to several system binaries, making escalation to root trivial.

Bishop Fox has released a free detection script to help defenders discover if their instance is vulnerable to the unauthenticated RCE chain. However, it’s essential to note that the script does not detect active attacks, whether exploitation has occurred in the past, or if persistence mechanisms or backdoors are present on the target.

Defenders can also look for requests containing ‘/api/auth/validate-sso/’ and monitor requests to ‘ucs/update/latest_package,’ suspicious child processes under ‘ucs-update,’ and unexpected sudo commands. Bishop Fox confirmed that the attack chain doesn’t work on UniFi OS Server 5.0.8, so users should upgrade to this release or later.

**Update Your UniFi OS Server Immediately**

The vulnerability in question is a critical one, allowing hackers to gain root access without any form of authentication. As such, it’s essential that you update your UniFi OS Server to the latest version as soon as possible. This will ensure that you’re protected against this vulnerability and prevent potential attacks.

**What You Can Do To Protect Yourself**

If you haven’t already, make sure to upgrade your UniFi OS Server to version 5.0.8 or later. Additionally, use the free detection script provided by Bishop Fox to check if your instance is vulnerable to the unauthenticated RCE chain.

**Conclusion**

The critical vulnerability in UniFi OS allows hackers to gain root access without any form of authentication. This is a serious issue that requires immediate attention from all users. By updating your UniFi OS Server and using the detection script, you can protect yourself against this vulnerability and prevent potential attacks.

**Tags:**

* UniFi OS

* Vulnerability

* Root Access

* Authentication Bypass

* Remote Code Execution

**Approved:** True

**Quality Score:** 90

Source: Original article

Leave a Reply

Your email address will not be published. Required fields are marked *