CISA confirmed active exploitation of three UniFi OS vulnerabilities — code injection (CVE-2026-34908), path traversal (CVE-2026-34909), and improper access control (CVE-2026-34910) — and added all three to the KEV catalog on June 23, 2026. Patches are available via Ubiquiti Security Advisory Bulletin 064. U.S. federal agencies face a mandatory remediation deadline of July 23, 2026; all organizations should treat KEV listing as an immediate-action trigger given confirmed in-the-wild exploitation.