KEVIntel
PRO Back to KEVs
10.0
CVSS
Critical

CVE-2026-34909

PUBLISHED

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the...

Exploited in the wild Remote Low complexity No user interaction
Vendor
Ubiquiti Inc
Product
UniFi OS Server, Express, UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDM-Beast, EFG, UDW, UDR, UDR7, UDR-5G, Express 7, UNVR, UNVR-Pro, UNVR-Instant, UNVR-G2, UNVR-G2-Pro, ENVR, ENVR-Core, UNAS-2, UNAS-4, UNAS-Pro, UNAS-Pro-4, UNAS-Pro-8, UCKP, UCK, UCK-Enterprise, UCG-Ultra, UCG-Max, UCG-Fiber, UCG-Industrial
Published
May 22, 2026
EPSS
0.0% · 8% pctl

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot sensor data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

Weaknesses (CWE)

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSS scores

CVSS v3.1 10.0 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2026-06-09 07:29:00 UTC · Defused Cyber

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
Defused Cyber First 2026-06-09 07:29 UTC

Timeline

  • CVE ID Reserved

  • CVE Published to Public

  • Added to KEVIntel