Overview
Networking giant Ubiquiti has released urgent security updates addressing seven critical vulnerabilities in its UniFi OS ecosystem, including a maximum‑severity command injection flaw tracked as CVE‑2026‑50746. This vulnerability affects the UniFi Connect Application (v3.4.16 and earlier) — a platform used to automate and manage smart LED lighting, EV chargers, and building operations.

The Vulnerability Explained
Ubiquiti confirmed that a malicious actor with network access could exploit an Improper Access Control weakness to execute arbitrary commands on the host device.
Key details:
- CVE‑2026‑50746 — allows command injection via UniFi Connect Application.
- Affected versions: 3.4.16 and earlier.
- Patched version: 3.4.20 and later.
- Impact: remote code execution and potential device takeover.
Ubiquiti urges customers to update immediately to mitigate risk.
Additional Critical Flaws
Alongside CVE‑2026‑50746, Ubiquiti patched six other critical vulnerabilities across its UniFi Talk, UniFi Access, and UniFi Protect applications, as well as its UniFi OS Server and network hardware portfolio.
| CVE ID | Affected Component | Attack Complexity |
|---|---|---|
| CVE‑2026‑50747 | UniFi Talk | Low |
| CVE‑2026‑50748 | UniFi Access | Low |
| CVE‑2026‑54400 | UniFi Protect | Low |
| CVE‑2026‑54402 | UniFi OS Server | Low |
| CVE‑2026‑55115 | Routers / Gateways | Low |
| CVE‑2026‑55116 | NAS / Surveillance Systems | Low |
These flaws can be exploited in low‑complexity attacks without user interaction, making them particularly dangerous for internet‑exposed devices.
Exposure and Threat Landscape
Threat intelligence firm Censys has identified over 100,000 UniFi OS instances exposed online, with nearly 50,000 in the United States.
Ubiquiti devices have historically been a target for state‑sponsored groups and cybercrime botnets:
- 2024: FBI dismantled the Moobot botnet, which used Ubiquiti Edge OS routers for Russian GRU cyberespionage.
- 2022: CISA added a critical AirOS command injection flaw (CVE‑2010‑5330) to its actively exploited catalog.
- 2026: CISA warned of three max‑severity UniFi OS flaws being actively exploited and mandated patching within three days.
Security researchers at Bishop Fox later demonstrated that these vulnerabilities could be chained for remote code execution with elevated privileges, releasing a free detection script to help defenders identify vulnerable instances.
Recommended Actions
To protect against potential exploitation:
- Update UniFi Connect to v3.4.20+ — apply patches immediately.
- Restrict network access — limit management interfaces to trusted networks.
- Monitor for anomalous commands — review logs for unexpected executions.
- Use Censys or Bishop Fox tools — scan for exposed instances and validate patch status.
Expert in the Cloud Insight
The UniFi OS incident underscores how smart building automation and IoT systems are becoming prime targets for cyber attacks. Command injection flaws in connected infrastructure can cascade into physical security risks — from lighting control to EV charging stations.
For enterprises and facility operators, the lesson is clear: network segmentation, timely patching, and continuous monitoring must be standard practice for all IoT and automation deployments.
Leave a Reply