Bishop Fox, a US offensive security firm, chained three flaws in Ubiquiti's UniFi OS Server, an access-control bypass (CVE-2026-34908), a path traversal (CVE-2026-34909), and a command injection (CVE-2026-34910), all scored CVSS 10.0, into a public demo that reaches unauthenticated root, then released a detection script 1. CVSS measures vulnerability severity on a scale to 10; three maximum scores in one chain is rare. Ubiquiti makes networking kit deployed widely across small businesses and prosumer estates, and it fixed all three in UniFi OS Server 5.0.8. CISA listed the trio as KEV (Known Exploited Vulnerabilities) entries on 23 June, with a 26 June deadline 2.
A working unauthenticated-root exploit is already public, against a product sitting on millions of estates, with a 3-day federal clock attached. That clock is the detail that ties this to the wider story: the Ubiquiti batch is the first KEV listing scored under BOD 26-04's top tier, the risk-tiered directive CISA issued on 10 June . Internet exposure, public exploit, and root-level impact together push it into the fastest 3-day window the new model allows, so this is the regime's debut in the wild.
UniFi sits in the same edge-device class as the small office, home office (SOHO) routers that Russian military intelligence unit GRU Unit 26165 has abused to relay credentials, but at far greater scale across business estates. Under the old directive, a CVSS 10.0 Cisco SD-WAN flaw drew an emergency 3-day order in May after the actor UAT-8616 was caught exploiting it . That speed was improvised then; BOD 26-04 now codifies it as a standing tier.
