Vulnerabilities and Affected Products
Ubiquiti has released security updates addressing seven critical vulnerabilities across multiple UniFi applications and the UniFi operating system. The flaws affect UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS, with severity scores ranging from 9.0 to 10.0. The most severe vulnerability, CVE-2026-50746 with a CVSS score of 10.0, involves improper access control in the UniFi Connect Application that could allow command injection.
Other critical issues include authenticated SQL injection vulnerabilities in UniFi Talk (CVE-2026-50747), command injection flaws in UniFi Access (CVE-2026-50748), and a Server-Side Request Forgery vulnerability in UniFi Protect (CVE-2026-55115). The UniFi OS itself contains two critical flaws: a command injection vulnerability (CVE-2026-54402) and an improper access control issue (CVE-2026-55116) that could allow unauthorized device changes.
Remediation and Broader Context
Ubiquiti has released fixed versions for all affected products, and users are strongly advised to update immediately. While there is no evidence these specific flaws have been exploited in the wild, the company notes that three other UniFi OS vulnerabilities were recently flagged by CISA as being actively weaponized by attackers. Additionally, Russian state-sponsored threat actors have previously targeted compromised Ubiquiti Edge OS routers as part of a botnet operation.
Source: The Hacker News

