CVE-2026-34908 / CVE-2026-34909 / CVE-2026-34910 — Ubiquiti UniFi OS Server: pre-auth RCE chain, exploited (CISA KEV)

Three max-severity (CVSS 10.0) flaws in UniFi OS Server — improper access control and path traversal that bypass authentication and reach an unauthenticated RCE endpoint — were patched and KEV-listed with confirmed exploitation. UniFi controllers are common in DACH SME, education and public-sector branch networks; the management plane is frequently exposed. Patch and audit controller-account integrity.