CVE Tools
Back to feed
Bishop Fox ·EN-US Vendor research

Popping Root on UniFi OS Server: Unauthenticated RCE Chain Detection & Analysis

By Jon Williams··21 min read
TL;DR

Ubiquiti’s Security Advisory Bulletin 064 covers vulnerabilities across the UniFi OS device family that chain into unauthenticated remote code execution. An attacker bypasses the front-end authentication gateway to reach an internal API endpoint that runs an attacker-controlled value as a shell command, all without credentials.

We confirmed the full chain end-to-end, turning a single request into a reverse shell with full root privileges. The severity comes from what the appliance controls: it is the management plane for the network it runs. Root on it, therefore, exposes every stored secret, lets an attacker forge admin sessions that survive the patch, and, in physical deployments, can compromise managed devices including door controls and security cameras.

The only precondition for exploitation is access to the admin interface. Patch to UniFi OS Server (UOS) 5.0.8 or later, then rotate secrets, because patching does not evict an attacker who already got in. Bishop Fox has published a CVE-2026-34908-check">safe detection tool; read on for the detection method, the preconditions, and the full post-exploitation picture.

Continue reading on Bishop Fox