Back to Articles
critical

CRITICAL: Ubiquiti Ships Emergency UniFi Fixes for CVSS 10.0 Unauthenticated Command Injection

Ubiquiti disclosed 25 vulnerabilities across the UniFi ecosystem on July 8, 2026, including seven critical flaws. The worst, CVE-2026-50746, is a CVSS 10.0 unauthenticated command injection in UniFi Connect that lets any network-adjacent attacker run commands as the host. With roughly 100,000 UniFi OS endpoints exposed to the internet, patching to the fixed releases is urgent.

By Danny Mercer, CISSP — Lead Security Analyst Jul 9, 2026
Is your business exposed? Our McKinney-based security team can assess your risk for free.
Share:

If your network closet has a row of sleek white Ubiquiti access points and a Dream Machine humming away in the corner, clear your afternoon. On July 8, 2026, Ubiquiti disclosed a batch of 25 vulnerabilities across the UniFi ecosystem, and seven of them land squarely in critical territory. One of them earns the single number nobody ever wants to see printed on a CVSS report. A perfect 10.0. If you needed a reason to log into your controller today instead of tomorrow, this is it.

The headline flaw is CVE-2026-50746, an improper access control weakness in the UniFi Connect Application that opens the door to command injection on the host device. The reason it maxes out the severity scale comes down to the ugly combination of attributes packed into its vector string, which reads CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. Translated out of security shorthand, that means the vulnerability is reachable over the network, requires no authentication whatsoever, needs no user interaction, and carries low attack complexity, all while breaking out of its own security scope to fully compromise confidentiality, integrity, and availability. In plain English, anyone who can reach the service can run commands as the box with no login required, and the damage does not stay politely contained inside the application. It spills into the underlying system. Ubiquiti fixed it in UniFi Connect version 3.4.20, so if you are still running 3.4.16 or anything older, you are the target audience for this article.

The 10.0 grabs the attention, but the supporting cast is nearly as nasty and easy to overlook once your eyes glaze past the top of the advisory. UniFi Talk carries CVE-2026-50747, a SQL injection scoring 9.9 that a low privileged authenticated user on the network can leverage to climb toward full system control, patched in version 5.2.2. UniFi Access has two entries worth your time, the first being CVE-2026-50748, another command injection rated 9.9, and the second being CVE-2026-54400, an access control flaw at 9.1, both resolved in version 4.2.29. UniFi Protect contributes CVE-2026-55115, a server side request forgery scoring 9.9 that an attacker with a foothold on the network and low privileges can use to pivot and escalate on the host, fixed in version 7.1.83.

Then there is UniFi OS itself, the foundation everything else runs on, which is exactly why its two critical issues deserve the most respect. CVE-2026-54402 is an improper input validation bug rated 9.9 that allows command injection directly on the host device, and it travels alongside CVE-2026-54400's cousin in spirit, CVE-2026-55116, an access control weakness scoring 9.0. Both were addressed in UniFi OS version 5.1.19, and anyone sitting on 5.1.15 or earlier is running the vulnerable code. The unifying theme across all seven, the thing that should make you sit up straight, is that every one of them lets an attacker with access to the network achieve either privilege escalation or arbitrary command execution on the host. These are not information leaks or denial of service annoyances. These are the kind of flaws that end with somebody else owning your infrastructure.

Now for the question everyone asks first, which is whether this is already being exploited. At the time of disclosure there was no evidence that any of these specific flaws had been weaponized in the wild, and no functional public proof of concept for CVE-2026-50746 had surfaced. CISA data showed no observed exploitation at review time. That is the good news, and it is the kind of good news with a short shelf life. History here is not reassuring. Previous UniFi OS vulnerabilities have been picked up and weaponized by state sponsored actors, which tells you these devices sit firmly on the radar of people who do this for a living. When a vendor drops a CVSS 10.0 that requires no authentication and low complexity, reverse engineering the patch to build a working exploit is not a research project. It is a weekend. The window between disclosure and exploitation on bugs like this one has a habit of measuring in days.

The scale of exposure is what turns this from a routine patch cycle into something that keeps analysts awake. Threat intelligence firm Censys counted roughly 100,000 UniFi OS endpoints reachable directly from the public internet at the time of disclosure. That is a hundred thousand potential front doors, many of them belonging to small businesses, home labs, remote offices, and managed environments where the controller was stood up once and never thought about again. Ubiquiti gear is popular precisely because it is affordable, capable, and easy to deploy, which also means a large share of it lives in environments without a dedicated security team watching the patch feed. The uncomfortable truth is that a meaningful fraction of those 100,000 boxes will still be unpatched a month from now, and attackers know it.

So what do you actually do about it, beyond the obvious instinct to panic quietly. The first and non-negotiable step is to update every affected product to the fixed release. That means UniFi Connect at 3.4.20 or later, UniFi Talk at 5.2.2, UniFi Access at 4.2.29, UniFi Protect at 7.1.83, and UniFi OS at 5.1.19. If you manage a fleet, do not assume the auto update toggle has your back, because plenty of deployments have that feature disabled or pointed at a channel that lags behind. Verify the running version on each device by hand. Beyond patching, the single highest value hardening move is to get these management interfaces off the public internet entirely. There is almost never a legitimate reason for a UniFi controller or OS console to be directly reachable from the open web, so restrict access to a dedicated administrative network or a VPN, and tighten the firewall rules that govern who can even reach the management endpoints. For detection, watch for the tell that command injection always leaves behind, which is unexpected child processes, shells, or scripting interpreters spawning from application contexts that have no business launching them. If your Ubiquiti gear suddenly starts running a shell, that is not a feature.

There is a broader lesson tucked inside this disclosure that goes beyond Ubiquiti. Network infrastructure is quietly becoming one of the most attractive real estate markets in cybercrime. Routers, firewalls, controllers, and edge appliances sit in a privileged position, they rarely run endpoint detection, they are frequently forgotten after deployment, and compromising one gives an attacker a durable perch with a commanding view of everything downstream. The steady drumbeat of critical flaws in Ivanti, Fortinet, Cisco, Palo Alto, and now Ubiquiti is not a coincidence. It is the market responding to demand. If your security program still treats the network gear as furniture rather than as software that needs the same patch discipline as your servers, this is your reminder to fix that assumption.

For managed service providers, this disclosure is an unusually clean opportunity to demonstrate value while the news is fresh. A fleet of UniFi endpoints across a client base is exactly the sort of thing that justifies a proactive patch management retainer, and a same day advisory email that names the CVEs and confirms your clients are already covered turns a scary headline into a trust building moment. There is also a straightforward upsell here in external attack surface monitoring, because any client whose UniFi console is currently answering on the public internet is a client who did not know that until you told them, and showing up with that finding before an attacker does is the kind of thing that renews contracts and closes new ones.

References

Concerned about this threat?

Our security team can assess your exposure and recommend immediate actions.

Get a Free Assessment →