The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that three maximum-severity flaws in Ubiquiti’s UniFi OS are being exploited in the wild, as reported by BleepingComputer. The three bugs — CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910 — can be chained together to take complete control of a device without needing a password. Ubiquiti shipped fixes back in May.

Here’s why this one matters more than most: UniFi is everywhere in Australian small business. Cafes, clubs, dental practices, accounting firms, strata offices and co-working spaces run it for guest Wi-Fi and the office network, usually because it’s affordable and looks tidy in the comms cupboard. The flaw itself is only half the problem. The pattern we see again and again in client environments is a UniFi controller left reachable from the internet, or guest Wi-Fi sitting on the same flat network as the EFTPOS terminal and the back-office PCs. Chain these three bugs on a network like that and an attacker is inside the whole business, not just one box.

Do two things this week. First, update UniFi OS and the UniFi Network application to the current version — the May release closes all three holes. Second, make sure your management console isn’t exposed to the internet, and confirm guest Wi-Fi is properly separated from your business systems. Bishop Fox has published a free script that checks whether a device is vulnerable.

Not sure whether your gear is patched or your guest network is actually isolated? That’s exactly the sort of thing managed cybersecurity should be catching before an attacker does.