Ubiquiti Patches Seven Critical UniFi OS Vulnerabilities, Including Command Injection Flaw
Ubiquiti has released urgent security updates for its UniFi OS, addressing seven critical vulnerabilities. Among these is a maximum-severity command injection flaw, **CVE-2026-50746**, which could allow malicious actors with network access to execute arbitrary commands on host devices. IT security professionals and privacy-conscious users are strongly advised to update their systems immediately.
Networking hardware giant **Ubiquiti** has issued critical security updates to patch a total of seven vulnerabilities within its **UniFi OS** ecosystem. These flaws, several of which are rated critical, pose significant risks, including the potential for remote code execution and command injection attacks.
### Maximum-Severity Command Injection in UniFi Connect
The most severe of the patched vulnerabilities is **CVE-2026-50746**, a maximum-severity flaw affecting **UniFi Connect Application** versions 3.4.16 and earlier. This application is crucial for managing commercial building operations, from smart LED lighting to electric vehicle chargers.
Ubiquiti's advisory highlights that "A malicious actor with access to the network could exploit an Improper Access Control vulnerability found in UniFi Connect Application to execute a Command Injection on the host device."
Users are strongly urged to update their UniFi Connect app to version 3.4.20 or later to mitigate this risk.
### Broader Impact Across UniFi Ecosystem
Beyond UniFi Connect, Ubiquiti addressed six additional critical-severity issues on Thursday. These vulnerabilities (**CVE-2026-50747**, **CVE-2026-50748**, **CVE-2026-54400**, **CVE-2026-54402**, **CVE-2026-55115**, **CVE-2026-55116**) impact a wide array of Ubiquiti products. Affected applications include **UniFi Talk**, **UniFi Access**, and **UniFi Protect**, as well as the **UniFi OS Server**, and various Ubiquiti routers, gateways, network-attached storage (NAS) devices, and surveillance systems.
Notably, six of these vulnerabilities can be exploited with low complexity and do not require user interaction, increasing their potential for widespread abuse. Ubiquiti has not yet confirmed whether any of these flaws have been exploited in the wild.
### Internet-Exposed UniFi Instances and Historical Exploitation
According to threat intelligence company **Censys**, over 100,000 **UniFi OS** instances are currently exposed online, with nearly 50,000 of these located in the United States. While Censys data includes historical scans and may not perfectly reflect current exposures, it underscores the vast attack surface these vulnerabilities present.

This isn't the first time Ubiquiti products have been targeted by sophisticated threat actors. State-sponsored groups and cybercrime organizations frequently exploit these devices to build botnets, leveraging them to mask malicious activities.
Recent examples include:
* **February 2024**: The **FBI** disrupted **Moobot**, a botnet composed of **Ubiquiti Edge OS** routers, which was used by Russia's **Main Intelligence Directorate of the General Staff (GRU)** to proxy cyberespionage traffic.
* **April 2022**: The **U.S. Cybersecurity and Infrastructure Security Agency (CISA)** added **CVE-2010-5330**, a critical command injection flaw in **Ubiquiti AirOS**, to its catalog of actively exploited vulnerabilities, mandating government agencies to patch within three weeks.
* **June (recent)**: CISA issued a warning about active exploitation of three max-severity UniFi OS flaws that had been patched just one month prior. **Bishop Fox** later demonstrated that these vulnerabilities could be chained to achieve unauthenticated remote code execution with root privileges, releasing a free detection script to assist defenders.
Given the historical context and the severity of the newly patched flaws, all organizations and individuals using Ubiquiti UniFi products are urged to apply these security updates without delay.