KOM CLOUDSERVICE
All Insights

That UniFi Gear in Your Office Closet Is Being Hacked Right Now

CISA confirms attackers are exploiting three max-severity Ubiquiti UniFi flaws. If you run this gear, here's what to do today.

CISA just confirmed that attackers are actively exploiting three serious flaws in Ubiquiti UniFi gear, the kind of networking equipment that sits in the closet at thousands of small offices. If you’ve got UniFi, this one is for you.

This week in brief

Police took down two major malware networks. In a coordinated action called Operation Endgame, Microsoft, Europol, and partners knocked out infrastructure behind the Amadey and StealC malware: 326 servers, 142 domains, and roughly 27 million stolen credentials recovered, per Bleeping Computer. These tools are the front door for ransomware. This is good news, but it’s a dent, not a knockout.

A Cisco phone system flaw is now being attacked. A critical bug in Cisco Unified Communications Manager (CVE-2026-20230) is being exploited after researchers published a proof-of-concept showing a path to root access, The Hacker News reports. If your phone system runs on Cisco Unified CM, patch it.

Service desks are still getting played. The same social engineering that hit M&S, Co-op, and Carnival keeps working. Attackers call pretending to be an employee and talk someone into resetting a password. Bleeping Computer’s breakdown is a good reminder that the human at the help desk is often easier to crack than the firewall.

The one that matters: your UniFi gear

A lot of small businesses run Ubiquiti UniFi. It’s popular for good reason: solid hardware, clean interface, fair price. Plenty of offices have a UniFi gateway, a few access points, maybe a network video recorder, all managed through one dashboard. That dashboard is the problem this week.

CISA added three UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog, which is government-speak for “we have confirmed criminals are using these in real attacks.” All three are rated maximum severity. Here’s what each one does, in plain terms:

  • CVE-2026-34908 lets an attacker who isn’t logged in make changes to your UniFi system. No password needed.
  • CVE-2026-34909 lets them read sensitive files off the device: configuration files, credentials, the stuff that hands them the keys.
  • CVE-2026-34910 lets them run their own commands on the device, which means full takeover.

On their own, each is bad. The real trouble is that researchers at Bishop Fox showed these three can be chained together (used one after another) to get complete remote control of a vulnerable UniFi device with elevated privileges. An attacker who pulls this off owns the box that runs your entire office network. From there they can watch traffic, pivot to your computers, and set up shop for a ransomware crew.

This isn’t theoretical and it isn’t far off. Ubiquiti released fixes back in May and warned that the flaws could be exploited remotely with no login required. CISA’s update this week confirms attackers caught on. The gap between “patch available” and “actively exploited” is exactly where small businesses get burned. The fix has been sitting there for over a month, and a lot of offices have never logged into their UniFi controller since the day it was installed.

Why should you care more than usual? Because network gear is the one thing nobody checks. Everyone knows to update Windows. Almost nobody thinks about the firmware on the device in the closet. Attackers know that. A compromised gateway gives them a foothold that your antivirus on the laptops will never see, because the attacker is sitting beneath all of it.

Good news: this is fixable in under an hour, and Bishop Fox even published a free script on GitHub to check whether your devices are vulnerable. Keeping network gear patched and monitored is part of what we handle for clients on managed IT, so a flaw like this gets caught and closed before it becomes a headline.

What to do right now

  • Log into your UniFi controller and update everything. Apply the May firmware updates to your gateway, access points, and any UniFi OS devices. If you’re current, you’re protected against these three flaws.
  • Don’t expose your UniFi controller to the internet. If you can reach the management interface from outside your office, so can an attacker. Lock remote access behind a VPN or shut it off entirely.
  • Patch your Cisco phone system if you run Unified CM. CVE-2026-20230 is being actively exploited.
  • Set a rule with your help desk and IT provider: no password or MFA resets over the phone without verifying identity through a second channel. This is how M&S and Carnival got hit.
  • Make a list of every piece of network gear you own (routers, firewalls, NVRs, access points) and a plan for who checks them for updates. If the answer is “nobody,” that’s the gap.

If you’re running UniFi or any other network gear and you have no idea whether it’s been updated since the day it was plugged in, that’s exactly the kind of blind spot managed IT support closes for small businesses. Book a free 15-minute consult and we’ll tell you where you stand.

Talk to the person who'll actually run your IT.

Book a free 15-minute consult. No sales pitch from a stranger, just a straight conversation about what your business needs.

Book your free consult

Or call (732) 701-7012

Monthly agreements, not multi-year lock-ins  ·  No call centers, ever