🔴 Ubiquiti just patched three maximum-severity flaws in UniFi OS… and MSPs are specifically named as at risk

If you manage UniFi devices for clients, this needs attention today.

On May 22, Ubiquiti released emergency patches for three CVSS 10.0 vulnerabilities in UniFi OS… the operating system powering Dream Machines, Cloud Gateways, and network appliances found extensively in MSP-managed environments. All three can be exploited remotely without authentication and without user interaction. BleepingComputer

• CVE-2026-34908 allows an unauthenticated attacker to make sweeping unauthorised changes to the entire system

• CVE-2026-34909 allows file traversal; reading sensitive files and taking over underlying accounts

• CVE-2026-34910 enables command injection once network access is established.

Two further critical flaws were patched at the same time.

Censys is tracking nearly 100,000 internet-exposed UniFi OS endpoints globally. No active exploitation has been confirmed yet. But Ubiquiti products have previously been targeted by both state-backed groups and ransomware operators to build botnets and proxy malicious traffic. The window between patch release and active exploitation is getting shorter every month.

🟡 GitHub banned Nightmare-Eclipse. They've moved to GitLab… and set a new deadline of July 14

Following on from our recent coverage, GitHub has terminated the Nightmare-Eclipse account that hosted all six unpatched Windows zero-day exploits. Cybernews

The researcher has immediately moved to GitLab, reposted all six exploits, and issued a new warning. July 14 is now being flagged as a significant date, with hints at remote code execution vulnerabilities still in reserve. The “big surprise” previously threatened for June Patch Tuesday remains on the table.

Microsoft has not commented beyond acknowledging the individual CVEs as they’ve been disclosed. The exploits remain active, some of which remain confirmed working on fully patched Windows 11 systems, and are being used in real attacks linked to Russian-geolocated infrastructure.

June 10 is the next Patch Tuesday. What do you think is going to happen in the next couple of months?

🟢 Marketing had a brilliant idea. IT looked into it… and realised it had already been implemented

The Register’s On Call column last Friday featured a reader called Hamish, who worked at a British retailer. A senior member of the marketing team had a breakthrough insight: they should add Apple Pay to the company’s website. Management approved it enthusiastically and it landed on Hamish’s desk. The Register

Spoiler alert… the website already had Apple Pay. And had done for months!!

Hamish had the satisfaction of closing a ticket for a feature he hadn’t needed to build.

That’s it for today. We’ll be back in your inbox tomorrow morning. Have a great day.