DEV Community

Diego Diaz
Diego Diaz

Posted on • Originally published at sable.somoswilab.com

Ubiquiti UniFi Critical Flaws Exposed: CVE-2026-50746 and Companion Vulnerabilities

What Happened

Ubiquiti disclosed a series of high‑severity vulnerabilities across its UniFi product line on July 8, 2026. The most dangerous, CVE‑2026‑50746, received a CVSS 10.0 rating – the highest possible score – because it can be exploited remotely without authentication, using an Improper Access Control flaw in the UniFi Connect application. An attacker who can reach the management interface can inject arbitrary operating‑system commands and take complete control of the host.

In addition to CVE‑2026‑50746, Ubiquiti patched six other critical issues: CVE‑2026‑50747 (SQL injection in UniFi Talk), CVE‑2026‑50748 (command injection in UniFi Access), CVE‑2026‑54400 (privilege escalation in UniFi Access), CVE‑2026‑54402 (command injection in UniFi OS), CVE‑2026‑55115 (SSRF in UniFi Protect) and CVE‑2026‑55116 (unauthorized changes in UniFi OS). All were fixed in the same security release.12

Technical Details

The CVE‑2026‑50746 vulnerability resides in UniFi Connect versions 3.4.16 and earlier. The component fails to verify the caller’s privileges before passing a crafted request to a system‑level command interpreter. As a result, a network‑adjacent attacker can send a specially‑crafted HTTP request that triggers command execution on the underlying Linux host. Because UniFi Connect often runs with root privileges to manage device provisioning, the impact is full system compromise.

Other flaws follow a similar pattern of insufficient input validation. CVE‑2026‑50747 is an authenticated SQL injection that allows an attacker with low‑privilege network access to escalate to admin on UniFi Talk. CVE‑2026‑50748 and CVE‑2026‑54402 are both command‑injection bugs in UniFi Access and UniFi OS respectively, reachable via malformed REST calls. CVE‑2026‑55115 is a server‑side request forgery (SSRF) in UniFi Protect that lets a low‑privileged attacker trick the backend into contacting internal services, leading to privilege escalation. CVE‑2026‑55116 is an access‑control weakness that permits unauthorized configuration changes in UniFi OS.

Impact

Threat intelligence firms estimate that over 100 000 UniFi OS instances are exposed to the public internet (TechTimes). If any of these devices run vulnerable versions, they become prime recruitment targets for botnets – similar to the “MooBot” botnet that leveraged compromised Ubiquiti EdgeOS routers in 2024. Successful exploitation grants attackers arbitrary code execution, enabling data exfiltration, lateral movement, or the deployment of ransomware. The CVE‑2026‑50746 flaw alone is powerful enough for nation‑state actors to gain footholds in critical infrastructure that relies on UniFi for building automation, lighting, or EV‑charging management.

Mitigation

Ubiquiti’s advisory urges immediate updates:

  • Upgrade UniFi Connect to version 3.4.20 or later.

  • Upgrade UniFi Talk to 5.2.2, UniFi Access to 4.2.29, UniFi OS Server to 5.1.19, and UniFi Protect to 7.1.83.

  • Verify that all UniFi devices are no longer reachable from the public internet unless explicitly required. Use firewall rules or VPNs to restrict management traffic.

  • Run vulnerability scans (e.g., using Censys or Shodan) to identify any lingering vulnerable instances.

  • Monitor logs for unexpected command‑execution patterns or outbound requests indicating SSRF attempts.

Organizations should also apply the same hardening steps they use for other network‑exposed management consoles: enforce strong authentication, enable multi‑factor authentication, and segment management networks.

For additional guidance, see Ubiquiti’s official security bulletin and the detailed analysis from BleepingComputer (source).

Top comments (0)