Ubiquiti UniFi OS — Three CVSS 10.0 Flaws Under Active Mirai Botnet Exploitation

Three independent CVSS 10.0 vulnerabilities in Ubiquiti UniFi OS are being chain-exploited in the wild to deliver Mirai-class botnet implants, with no authentication required. CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to the Known Exploited Vulnerabilities catalog on June 23, with a BOD 26-04 remediation deadline of June 26 — just three days.

The three flaws are individually critical, but the observed exploit chain combines two of them for devastating effect. CVE-2026-34908 is an improper access control bypass in UniFi OS's nginx auth gateway. An attacker sends a request with a double-encoded path traversal (`..%2f`) that nginx treats as public, but the backend normalises and routes to an authenticated internal endpoint. CVE-2026-34910 is a command injection in the package-update service, where a caller-supplied `pkg_name` parameter is passed directly to `/bin/sh -c` with zero input validation. Together, a single unauthenticated HTTP request achieves remote code execution as root.

Threat intelligence from PwnDefend and Defused confirms live exploitation observed from IP 176.65.148.183. The attack chain is a four-stage kill chain. Stage one sends the traversal-plus-injection request. Stage two drops a multi-architecture shell loader (`zok`) that tries wget, curl, and TFTP fallbacks across MIPS, ARM, x86, and other architectures. Stage three runs a Mirai/Gafgyt-derived implant (`azsxd v2.0`) — a 67KB statically-linked ELF with per-string obfuscation and runtime-decoded C2 configuration. Stage four self-deletes the binary while the process remains memory-resident, leaving minimal forensic footprint on disk.

The infection tag `unifi.exploit` in the dropped payload indicates this is one campaign within a larger multi-exploit botnet operation. C2 infrastructure at 185.228.26.16 is still active.

Affected products span the entire UniFi OS hardware line: UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, UDR, UDR7, Express 7, UNVR, UCG-Ultra, UCG-Max, UCG-Fiber, UCK, UCK-Enterprise, and UniFi OS Server. Patches are available: most devices should update to UniFi OS version 5.1.12 or later; UniFi OS Server to 5.0.8 or later; UNAS products to 5.1.10 or later; UDM-Beast to 5.1.11 or later.

So what? This is not a theoretical chain. Organisations running any internet-exposed UniFi OS device on an unpatched version should assume active compromise. The Mirai loader's multi-architecture spray and anti-forensics (deleted binaries, TFTP fallback) mean traditional file-based detection will miss infections. Check for running processes backed by deleted executables, monitor for the distinctive URI pattern `/api/auth/validate-sso/..%2f` in web logs, and block egress on UDP port 69. Patch immediately — the three-day BOD deadline is unusual and reflects the severity. Any UniFi OS instance that was internet-exposed before patching should be treated as a compromise candidate, not just a vulnerability.