CRITICAL INFRASTRUCTURE

Ubiquiti Patches Seven Critical UniFi Flaws, Including a Perfect 10.0 Command Injection

Ubiquiti shipped fixes for seven critical vulnerabilities spanning UniFi Connect, Talk, Access, Protect, and UniFi OS, topped by a CVSS 10.0 command injection. With prior UniFi OS bugs already on CISA's exploited list and Ubiquiti gear a proven botnet target, patching should not wait for the next maintenance window.

Matt Lucas  |  July 10, 2026  |  5 min
Ubiquiti Patches Seven Critical UniFi Flaws, Including a Perfect 10.0 Command Injection — editorial hero illustration
10.0
Max CVSS score (CVE-2026-50746)
7
Critical CVEs patched
5
UniFi product lines affected
3
Prior UniFi OS CVEs on CISA KEV
Detected by CaverLive detection for CVE-2026-55116 in the RedEye Intel Feed →
TL;DR
  • What: Ubiquiti patched seven critical vulnerabilities across UniFi Connect, Talk, Access, Protect, and UniFi OS, including a CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746).
  • Impact: Attackers with network access can execute arbitrary commands, escalate privileges, or make unauthorized device changes on the controllers that run an organization's network, door access, cameras, and VoIP.
  • Fix / mitigation: Update to UniFi Connect 3.4.20, Talk 5.2.2, Access 4.2.29, Protect 7.1.83, and UniFi OS 5.1.19 or later.
  • Who's at risk: Any organization running UniFi consoles or self-hosted UniFi applications, especially SMBs and branch sites where UniFi handles both network and physical security.

Ubiquiti has released patches for seven critical vulnerabilities across five UniFi product lines: Connect, Talk, Access, Protect, and UniFi OS itself. The worst of the batch, CVE-2026-50746 in the UniFi Connect application, scores a perfect CVSS 10.0 and allows an attacker with network access to inject commands on the host device. Four more of the seven land at 9.9. If you run UniFi gear, this is not a routine update cycle. These are the applications that manage your switches and APs, your door controllers, your cameras, and your phones, and the flaws hand over command execution and privilege escalation on the consoles that run them.

The full vulnerability list

Why the blast radius is bigger than it looks

Every one of these flaws requires network access, which sounds like a mitigating factor until you consider where UniFi consoles actually sit. In most deployments they live on the management LAN or, worse, the same flat network as everything else. Any foothold on the LAN, whether a phished workstation, a compromised IoT device, or a contractor laptop, puts an attacker in exploitation range. The UniFi Protect SSRF (CVE-2026-55115) explicitly requires only low privileges, meaning a basic viewer account on your camera system is enough to start climbing toward root on the console.

The convergence problem makes it worse. UniFi Access controls physical doors. UniFi Protect runs surveillance cameras. UniFi Talk carries voice. A single compromised UniFi OS console (CVE-2026-54402 gives command injection on the host) can mean an attacker who can unlock doors, blind or review cameras, and pivot into network configuration from one box. That is why this carries a critical infrastructure tag: for thousands of small and mid-sized organizations, the UniFi console is the physical security system.

Patch targets at a glance

UniFi Connect 3.4.20, UniFi Talk 5.2.2, UniFi Access 4.2.29, UniFi Protect 7.1.83, UniFi OS 5.1.19. Cloud-managed consoles with auto-update enabled should pick these up on their own, but verify the installed version on every console rather than assuming. Self-hosted controllers need manual updates.

No exploitation yet, but the track record says move fast

Ubiquiti and third-party researchers have seen no in-the-wild exploitation of these seven flaws so far. Treat that as a patch window, not reassurance. Just last month, CISA flagged three separate UniFi OS vulnerabilities (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) as actively weaponized in real-world attacks. Attackers are demonstrably watching this product line and converting disclosures into working exploits quickly.

Ubiquiti gear is a proven nation-state target

Russian state-sponsored actors previously conscripted compromised Ubiquiti EdgeOS routers into MooBot, a botnet used to proxy malicious traffic until a law enforcement takedown in February 2024. GRU-linked operators know this hardware, its default configurations, and its patch lag in the field. Expect exploit development against this new batch, particularly the CVSS 10.0 Connect flaw.

What to do now

The bottom line

Seven critical CVEs in one release, a 10.0 at the top, and a vendor whose products have already been on CISA's exploited list this year and in a nation-state botnet before that. The pattern is clear even if the exploit for this batch has not surfaced yet. Patch every UniFi console this week, pull the management plane off the general network, and treat any UniFi device that was exposed and unpatched as worth a closer look rather than a shrug.

Questions about your exposure?

RedEye Security provides assessments for organizations that need to understand their real risk.

Talk to us