TL;DR
- what: Ubiquiti patched seven critical vulnerabilities across UniFi Connect, Talk, Access, Protect, and UniFi OS, including a CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746).
- impact: Attackers with network access can execute arbitrary commands, escalate privileges, or make unauthorized device changes on the controllers that run an organization's network, door access, cameras, and VoIP.
- fix: Update to UniFi Connect 3.4.20, Talk 5.2.2, Access 4.2.29, Protect 7.1.83, and UniFi OS 5.1.19 or later.
- who: Any organization running UniFi consoles or self-hosted UniFi applications, especially SMBs and branch sites where UniFi handles both network and physical security.
Ubiquiti has released patches for seven critical vulnerabilities across five UniFi product lines: Connect, Talk, Access, Protect, and UniFi OS itself. The worst of the batch, CVE-2026-50746 in the UniFi Connect application, scores a perfect CVSS 10.0 and allows an attacker with network access to inject commands on the host device. Four more of the seven land at 9.9. If you run UniFi gear, this is not a routine update cycle. These are the applications that manage your switches and APs, your door controllers, your cameras, and your phones, and the flaws hand over command execution and privilege escalation on the consoles that run them.
The full vulnerability list
- CVE-2026-50746 (CVSS 10.0): Improper access control in UniFi Connect enabling command injection on the host. Affects 3.4.16 and earlier; fixed in 3.4.20.
- CVE-2026-50747 (CVSS 9.9): A series of authenticated SQL injection flaws in UniFi Talk enabling privilege escalation. Affects 5.1.2 and earlier; fixed in 5.2.2.
- CVE-2026-50748 (CVSS 9.9): Improper input validation in UniFi Access enabling command injection. Affects 4.2.28 and earlier; fixed in 4.2.29.
- CVE-2026-54400 (CVSS 9.1): Improper access control in UniFi Access enabling privilege escalation. Affects 4.2.28 and earlier; fixed in 4.2.29.
- CVE-2026-55115 (CVSS 9.9): SSRF in UniFi Protect exploitable by a low-privileged network attacker to escalate privileges. Affects 7.1.77 and earlier; fixed in 7.1.83.
- CVE-2026-54402 (CVSS 9.9): Improper input validation in UniFi OS enabling command injection on the host. Affects 5.1.15 and earlier; fixed in 5.1.19.
- CVE-2026-55116 (CVSS 9.0): Improper access control in UniFi OS allowing unauthorized changes to certain devices. Affects 5.1.15 and earlier; fixed in 5.1.19.
Why the blast radius is bigger than it looks
Every one of these flaws requires network access, which sounds like a mitigating factor until you consider where UniFi consoles actually sit. In most deployments they live on the management LAN or, worse, the same flat network as everything else. Any foothold on the LAN, whether a phished workstation, a compromised IoT device, or a contractor laptop, puts an attacker in exploitation range. The UniFi Protect SSRF (CVE-2026-55115) explicitly requires only low privileges, meaning a basic viewer account on your camera system is enough to start climbing toward root on the console.
The convergence problem makes it worse. UniFi Access controls physical doors. UniFi Protect runs surveillance cameras. UniFi Talk carries voice. A single compromised UniFi OS console (CVE-2026-54402 gives command injection on the host) can mean an attacker who can unlock doors, blind or review cameras, and pivot into network configuration from one box. That is why this carries a critical infrastructure tag: for thousands of small and mid-sized organizations, the UniFi console is the physical security system.
Patch targets at a glance — UniFi Connect 3.4.20, UniFi Talk 5.2.2, UniFi Access 4.2.29, UniFi Protect 7.1.83, UniFi OS 5.1.19. Cloud-managed consoles with auto-update enabled should pick these up on their own, but verify the installed version on every console rather than assuming. Self-hosted controllers need manual updates.
No exploitation yet, but the track record says move fast
Ubiquiti and third-party researchers have seen no in-the-wild exploitation of these seven flaws so far. Treat that as a patch window, not reassurance. Just last month, CISA flagged three separate UniFi OS vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) as actively weaponized in real-world attacks. Attackers are demonstrably watching this product line and converting disclosures into working exploits quickly.
⚠️ Ubiquiti gear is a proven nation-state target — Russian state-sponsored actors previously conscripted compromised Ubiquiti EdgeOS routers into MooBot, a botnet used to proxy malicious traffic until a law enforcement takedown in February 2024. GRU-linked operators know this hardware, its default configurations, and its patch lag in the field. Expect exploit development against this new batch, particularly the CVSS 10.0 Connect flaw.
What to do now
- Inventory every UniFi console and self-hosted controller, including forgotten branch-office and closet deployments, and confirm each is on the fixed versions listed above.
- Isolate management interfaces. UniFi consoles should live on a dedicated management VLAN reachable only from admin jump hosts, never from the general LAN, guest networks, or the internet.
- Audit accounts on Talk, Access, and Protect. The Talk SQLi and Protect SSRF are reachable from authenticated or low-privileged positions, so stale viewer and installer accounts are now escalation paths. Remove them.
- Review console logs for anomalous command execution, unexpected privilege changes, or configuration edits predating the patch, especially if your consoles were exposed beyond the management network.
- If you still operate EdgeOS routers, confirm they are patched and were not part of prior MooBot-style compromises before assuming your UniFi environment is clean.
The bottom line
Seven critical CVEs in one release, a 10.0 at the top, and a vendor whose products have already been on CISA's exploited list this year and in a nation-state botnet before that. The pattern is clear even if the exploit for this batch has not surfaced yet. Patch every UniFi console this week, pull the management plane off the general network, and treat any UniFi device that was exposed and unpatched as worth a closer look rather than a shrug.
Originally published on RedEye Threat Intelligence.
Top comments (0)