Ubiquiti Patches 7 Critical UniFi Flaws Enabling Remote Code Execution
Ubiquiti has rolled out security updates addressing seven critical vulnerabilities across its UniFi ecosystem, including UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS. The flaws, assigned CVE-2026-50746 through CVE-2026-55116, carry CVSS scores ranging from 9.0 to a maximum 10.0, and allow attackers with network access to escalate privileges, execute arbitrary commands, or manipulate connected devices. The most severe issue, CVE-2026-50746, is an improper access control bug in UniFi Connect (versions 3.4.16 and earlier) that enables command injection on the host appliance, patched in version 3.4.20.
Several other vulnerabilities present equally serious risk. UniFi Talk versions 5.1.2 and earlier are exposed to authenticated SQL injection flaws (CVE-2026-50747), while UniFi Access versions 4.2.28 and earlier suffer from both an input validation defect enabling command injection (CVE-2026-50748) and an improper access control bug permitting privilege escalation (CVE-2026-54400). UniFi Protect versions 7.1.77 and earlier contain a Server-Side Request Forgery vulnerability (CVE-2026-55115) that allows low-privileged attackers to escalate on the host. UniFi OS versions 5.1.15 and earlier are also affected by two high-severity flaws, CVE-2026-54402 (command injection) and CVE-2026-55116 (unauthorized device changes), both remediated in version 5.1.19. Administrators should run a port scanner to verify exposure on UniFi management interfaces and confirm the patched firmware is deployed across all network appliances.
Although Ubiquiti states it has no evidence of in-the-wild exploitation for these specific CVEs, the broader threat landscape around Ubiquiti gear remains concerning. Last month, CISA flagged three UniFi OS vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) as having been weaponized in real-world attacks. Separately, Russian state-sponsored threat actors have previously compromised Ubiquiti EdgeOS routers and conscripted them into the MooBot botnet, a proxy network dismantled in a February 2024 law enforcement operation. These repeated incidents underscore why Ubiquiti's networking equipment remains a high-value target for both criminal and state-aligned adversaries.
Network operators running UniFi deployments should prioritize immediate firmware updates and conduct a thorough SSL/TLS checker review of management consoles to confirm encrypted management channels are properly configured. Segmenting UniFi devices onto isolated VLANs, disabling unused administrative interfaces, and reviewing WHOIS lookup records for any suspicious external connections originating from the network can further reduce the attack surface. Given the elevated CVSS ratings and precedent of active exploitation against Ubiquiti products, delayed patching significantly increases the risk of full system compromise.