- Ubiquiti released emergency patches for seven critical vulnerabilities across its UniFi product line, with CVSS scores ranging from 9.0 to 10.0.
- The flaws affect UniFi Connect, Talk, Access, Protect, and OS, potentially enabling privilege escalation and arbitrary command execution by attackers on the network.
- Three separate UniFi OS vulnerabilities were previously weaponized in real-world attacks, as flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Ubiquiti has shipped critical security updates to patch seven vulnerabilities across its UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS platforms, according to a security advisory released on July 8, 2026. The most severe flaw, CVE-2026-50746, carries a CVSS score of 10.0 and allows an attacker with network access to execute command injection on the UniFi Connect Application host device.
Meanwhile, a series of authenticated SQL injection vulnerabilities in UniFi Talk (CVE-2026-50747) and improper input validation in UniFi Access (CVE-2026-50748) each earned a 9.9 CVSS score, enabling privilege escalation and command execution, respectively. Two additional flaws in UniFi OS (CVE-2026-54402 and CVE-2026-55116) could also lead to command injection or unauthorized device changes, with versions 5.1.15 and earlier affected.
While there is no evidence these specific flaws have been exploited in the wild, a set of three earlier UniFi OS vulnerabilities was flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as having been weaponized in real-world attacks last month. Russian state-sponsored threat actors have also been observed enlisting compromised Ubiquiti Edge OS routers into a botnet dubbed MooBot, which was disrupted in a law enforcement operation in February 2024.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
