Ubiquiti warns of new max severity UniFi OS vulnerability

Ubiquiti has issued security updates to address seven critical vulnerabilities affecting its UniFi OS, including a maximum-severity flaw that could allow for command injection attacks. The most severe issue, tracked as CVE-2026-50746, impacts the UniFi Connect Application, specifically versions 3.4.16 and earlier.
This vulnerability is described as an Improper Access Control flaw within the UniFi Connect Application. Ubiquiti states that a threat actor with network access could exploit this weakness to inject and execute commands on the host device. The UniFi Connect Application is used by customers to automate and manage commercial building operations, such as smart LED lighting and electric vehicle chargers, through a unified interface. Ubiquiti recommends updating the UniFi Connect app to version 3.4.20 or a later release to mitigate this risk.

In addition to the command injection vulnerability, Ubiquiti also patched six other critical security issues on the same day. These vulnerabilities, identified by CVE identifiers CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, and CVE-2026-55116, affect a range of Ubiquiti products. They are present in the UniFi Talk, UniFi Access, and UniFi Protect applications, as well as in the UniFi OS Server itself, and extend to various Ubiquiti routers, gateways, Network Attached Storage (NAS) devices, and surveillance systems.
Ubiquiti has not yet confirmed whether any of these newly patched vulnerabilities have been exploited in real-world attacks. However, the company did note that six of these seven critical flaws can be exploited through attacks that require low complexity and do not necessitate user interaction.
Threat intelligence data indicates a significant number of UniFi OS instances are accessible online. Censys, a threat intelligence company, tracks over 100,000 such instances, with the majority, nearly 50,000 IP addresses, located in the United States. It is important to note that this data may include systems that are not actively exposed or are configured as honeypots, and it reflects historical scan results which might not accurately represent the current number of internet-exposed systems.
Ubiquiti devices have been a target for various threat actors in recent years, including state-sponsored groups and cybercrime organizations. These actors have previously compromised Ubiquiti products to create botnets used for concealing malicious activities, such as proxying traffic for cyberespionage operations. For example, in February 2024, law enforcement dismantled a botnet known as Moobot, which was reportedly used by Russia's GRU to proxy malicious traffic. In April 2022, a critical command injection flaw in Ubiquiti AirOS was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) catalog of actively exploited vulnerabilities. More recently, in June, CISA issued a warning about three maximum-severity UniFi OS flaws that were being actively exploited, mandating swift patching for government agencies.





