Ubiquiti: 2 Actively-Exploited Flaws Added to CISA KEV
Key findings • CISA added two actively exploited Ubiquiti Inc vulnerabilities to the KEV catalog on June 23, 2026. • CVE-2026-34908 and CVE-2026-34909 are confirmed under active in-the-wild e…
Key findings
- CISA added two actively exploited Ubiquiti Inc vulnerabilities to the KEV catalog on June 23, 2026.
- CVE-2026-34908 and CVE-2026-34909 are confirmed under active in-the-wild exploitation.
- Neither vulnerability is currently associated with known ransomware campaigns.
- Federal agencies face mandatory remediation deadlines under BOD 22-01.
- All Ubiquiti users should patch immediately and audit devices for signs of compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two Ubiquiti Inc vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on June 23, 2026, confirming that both flaws are under active exploitation in the wild. The addition triggers mandatory remediation deadlines for federal civilian executive branch agencies and serves as an urgent signal for all organizations using Ubiquiti networking equipment to patch immediately.
The two newly cataloged vulnerabilities are **CVE-2026-34908 and CVE-2026-34909**. While CISA has not released granular technical details alongside the KEV entries, the agency's threshold for inclusion requires credible evidence of active exploitation — meaning attackers are already leveraging these flaws to compromise Ubiquiti devices in real-world environments. Neither vulnerability has been associated with ransomware campaigns at this time.
Ubiquiti's broad footprint across enterprise, small-business, and residential networking — spanning access points, routers, switches, and camera systems — makes any actively exploited vulnerability in its ecosystem a significant concern. Security teams managing UniFi or EdgeMAX deployments should treat these KEV additions as a high-priority patching event and assume that exploit code is circulating in the wild.
Under Binding Operational Directive (BOD) 22-01, federal agencies must remediate KEV-listed vulnerabilities within prescribed timeframes — typically 14 to 21 days depending on severity. CISA has not yet published the specific due dates for these two entries, but organizations should not wait. Immediate steps include inventorying all Ubiquiti devices, applying the latest firmware updates, reviewing administrative access controls, and monitoring for indicators of compromise on affected systems.
Private-sector defenders should follow the same urgency. The KEV catalog exists precisely to cut through the noise of thousands of annual CVEs and spotlight the small fraction that attackers are actively weaponizing. These two Ubiquiti flaws now sit squarely in that category.