Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

Triple CVSS-10 Ubiquiti chain hits root

3 min read
11:00UTC

Bishop Fox chained three maximum-severity UniFi OS flaws into a public unauthenticated-root demo. CISA listed all three on 23 June with a 3-day deadline.

TechnologyDeveloping
Key takeaway

A public root exploit on millions of devices drew the new regime's fastest 3-day patch order.

Bishop Fox, a US offensive security firm, chained three flaws in Ubiquiti's UniFi OS Server, an access-control bypass (CVE-2026-34908), a path traversal (CVE-2026-34909), and a command injection (CVE-2026-34910), all scored CVSS 10.0, into a public demo that reaches unauthenticated root, then released a detection script 1. CVSS measures vulnerability severity on a scale to 10; three maximum scores in one chain is rare. Ubiquiti makes networking kit deployed widely across small businesses and prosumer estates, and it fixed all three in UniFi OS Server 5.0.8. CISA listed the trio as KEV (Known Exploited Vulnerabilities) entries on 23 June, with a 26 June deadline 2.

A working unauthenticated-root exploit is already public, against a product sitting on millions of estates, with a 3-day federal clock attached. That clock is the detail that ties this to the wider story: the Ubiquiti batch is the first KEV listing scored under BOD 26-04's top tier, the risk-tiered directive CISA issued on 10 June . Internet exposure, public exploit, and root-level impact together push it into the fastest 3-day window the new model allows, so this is the regime's debut in the wild.

UniFi sits in the same edge-device class as the small office, home office (SOHO) routers that Russian military intelligence unit GRU Unit 26165 has abused to relay credentials, but at far greater scale across business estates. Under the old directive, a CVSS 10.0 Cisco SD-WAN flaw drew an emergency 3-day order in May after the actor UAT-8616 was caught exploiting it . That speed was improvised then; BOD 26-04 now codifies it as a standing tier.

Deep Analysis

In plain English

Ubiquiti makes popular networking equipment used by small businesses, restaurants, hotels, and prosumers to manage Wi-Fi networks, switches, and security cameras from a central web interface. Approximately 4.2 million of these devices are active worldwide. Researchers at Bishop Fox found three separate security flaws in the software running on Ubiquiti's network management appliances. Each flaw on its own allows a partial intrusion. Chained together in sequence, they let an attacker gain complete control of the device without needing a username or password at all. CISA added all three to its mandatory-patch list on 23 June with a three-day deadline. Ubiquiti released a fix in version 5.0.8 of its software, and updating is urgent.

Deep Analysis
Root Causes

Ubiquiti sits in a structurally exposed position shared by all SME networking vendors: the product must be simple enough for a non-security-specialist to deploy, which means default configurations prioritise usability over isolation. UniFi's Dream Machine and Cloud Key appliances place the management web interface on the same network segment as the managed devices by default, removing the network-layer access control that would otherwise limit the exploitable surface.

The SOHO and SME networking market has no equivalent to the enterprise security review cycle that larger vendors use before shipping authentication code. GRU Unit 26165 exploited SOHO routers for Microsoft 365 credential harvesting earlier in 2026 for the same structural reason: small-footprint networking equipment has thin security teams and long patch cycles, making it a reliable initial-access surface for both state actors and criminal groups.

What could happen next?
  • Risk

    The 3-day BOD 26-04 deadline is operationally unreachable for most SME-class Ubiquiti deployments managed by MSPs; the practical patch window is 14 to 30 days, meaning a large proportion of the installed base will remain exploitable for at least two weeks after the deadline.

    Immediate · Assessed
  • Precedent

    The Ubiquiti batch is the first KEV listing to use BOD 26-04's top 3-day tier in the wild, establishing the practical compliance ceiling for the new regime; if MSPs demonstrate they cannot reach the 3-day window, it will prompt CISA to issue guidance on compensating controls for unmanageable deadlines.

    Short term · Reported
  • Consequence

    State actors and ransomware crews that exploited SOHO and SME networking equipment as initial-access vectors in 2025-2026 now have a publicly documented three-CVE chain against one of the most widely deployed SME network management platforms.

    Immediate · Assessed
First Reported In

Update #8 · CISA tears up the KEV deadline rulebook

BleepingComputer· 24 Jun 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.