Ubiquiti has released security updates for seven critical vulnerabilities spanning nearly its entire UniFi ecosystem — UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS itself. At the top of the list sits CVE-2026-50746, a maximum-severity CVSS 10.0 improper access control flaw in the UniFi Connect Application that a malicious actor with network access can exploit to execute command injection on the host device.
The affected versions of UniFi Connect run 3.4.16 and earlier; the fix landed in version 3.4.20. Ubiquiti has not confirmed whether any of the seven flaws were exploited in the wild before patching — but it did note that six of the seven can be exploited in low-complexity attacks that require no user interaction. That combination — trivial to exploit, no click needed, root-level consequences — is exactly the profile that ransomware affiliates and initial access brokers scan for the moment an advisory drops.
What CVE-2026-50746 Actually Touches
UniFi Connect is not a home hobbyist product. It is the management suite Ubiquiti sells for commercial building operations — the single pane of glass that automates smart LED lighting systems, digital signage, and electric vehicle chargers across an enterprise campus. An attacker who achieves command injection on the UniFi Connect host doesn’t just own a network appliance; they own the controller that touches physical infrastructure.
The vulnerability is classified as improper access control, meaning the application fails to properly gate who can reach the vulnerable functionality in the first place. From a position on the network — a compromised workstation, a rogue device on a poorly segmented VLAN, a guest network that was never properly isolated — an attacker can reach the Connect application and inject arbitrary commands on the underlying host.
That host, in most deployments, is a UniFi console or gateway sitting at a privileged position in the network: it sees management traffic, holds credentials for adopted devices, and frequently bridges IT and OT segments that were supposed to stay separated.
The Other Six
The remaining critical fixes cover an unusually wide swath of the product line:
- CVE-2026-50747 and CVE-2026-50748 — additional critical flaws in the UniFi application stack
- CVE-2026-54400 and CVE-2026-54402 — affecting UniFi Talk (VoIP) and UniFi Access (physical door control)
- CVE-2026-55115 and CVE-2026-55116 — impacting UniFi OS Server and a broad range of Ubiquiti routers, gateways, NAS devices, and surveillance systems
The pattern is worth pausing on. UniFi Talk handles phones. UniFi Access handles door locks and badge readers. UniFi Protect handles security cameras. These are privilege escalation and arbitrary command execution bugs in the systems that control who gets into a building and what gets recorded while they’re there. A full compromise chain across these applications hands an attacker not just data, but physical-world control: unlock the doors, blind the cameras, kill the phones.
100,000 Reasons to Care
Threat intelligence firm Censys currently tracks more than 100,000 UniFi OS instances exposed to the internet, with nearly 50,000 of those IP addresses in the United States. Every one of those exposed consoles is now a mapped, fingerprintable target running software with a published perfect-score vulnerability.
The exploitation math here is well established. Network edge devices and management controllers have been the defining initial access vector of the past eighteen months — a trend we have documented extensively in our coverage of the FortiBleed campaign that compromised 430,000 Fortinet firewalls and 110 million credentials. The playbook is always the same: an advisory publishes, proof-of-concept code follows within days, and mass scanning begins within hours of that. Devices that sit unpatched for a week become statistics.
CVE-2026-50746 technically requires “network access” rather than being remotely exploitable from the open internet by default — but that qualifier does far less work than administrators like to believe. Exposed UniFi OS consoles, flat networks, VPN access purchased from initial access brokers, and compromised endpoints all constitute “network access.” The 100,000 internet-facing instances Censys sees are the worst-case population, and history says a meaningful fraction of them will still be unpatched months from now.
The Building-Automation Blind Spot
The deeper issue this advisory exposes is that building automation has quietly become part of the enterprise attack surface, and almost nobody staffs it that way.
UniFi Connect deployments live in a governance gap. The facilities team owns the lighting and the EV chargers. The IT team owns the network. The security team often doesn’t know the system exists until an assessment finds it. Nobody owns patching it, which means in practice nobody patches it — controllers get deployed during a building fit-out and run untouched for years.
Ubiquiti’s positioning makes this worse in one specific way: the company’s price point and ease of deployment mean UniFi gear is everywhere in the mid-market — schools, clinics, law firms, municipal offices, small manufacturers — precisely the organizations least likely to have a vulnerability management program that covers network appliances, let alone the app controlling the parking-lot EV chargers.
What To Do Now
The remediation list is short and non-negotiable:
- Update UniFi Connect to 3.4.20 or later immediately. This is the CVSS 10.0 fix.
- Apply the full UniFi OS, Talk, Access, and Protect updates — six of these flaws are low-complexity, zero-interaction exploits.
- Get management interfaces off the internet. If your UniFi console is one of the 100,000 Censys can see, exposure is a standing invitation regardless of patch level.
- Segment building automation from corporate IT. The lighting controller should never be reachable from the guest Wi-Fi, and the corporate domain should not trust anything the Connect host says.
- Check logs for anomalous access to UniFi applications going back several weeks. “No confirmed in-the-wild exploitation” is a statement about what Ubiquiti knows, not about what happened.
Ubiquiti deserves some credit for shipping coordinated fixes across the whole product family rather than dribbling them out. But a CVSS 10.0 in a building-operations controller, sitting alongside critical flaws in door access and camera systems, is a reminder of where the perimeter actually is now. It is not the firewall. It is every management plane your organization forgot it deployed.
Sources
- BleepingComputer — Ubiquiti warns of new max severity UniFi OS vulnerability
- The Hacker News — Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
- Security Affairs — Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation
- SOCRadar — Ubiquiti Fixes CVE-2026-50746 in UniFi Connect



