Ubiquiti Warns of Maximum Severity UniFi OS Vulnerability Enabling Command Injection
Ubiquiti has released urgent security updates for its UniFi OS, patching seven critical vulnerabilities, including a maximum-severity flaw that allows for command injection attacks.

Ubiquiti has issued a critical security alert, urging users to update their UniFi OS installations promptly. The company has released patches for seven high-severity vulnerabilities, with one flaw, CVE-2026-50746, being rated at the maximum severity level. This critical vulnerability resides within the UniFi Connect Application, a software suite designed for automating and managing commercial building operations such as smart lighting and EV chargers.
The command injection vulnerability in UniFi Connect Application (versions 3.4.16 and earlier) can be exploited by a malicious actor with network access. Ubiquiti's advisory states that an 'Improper Access Control' vulnerability allows for the execution of commands on the host device. To mitigate this risk, users are strongly advised to update the affected UniFi Connect application to version 3.4.20 or later.
In addition to the critical flaw in UniFi Connect, Ubiquiti also addressed six other significant security issues on the same day. These vulnerabilities, tracked as CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, and CVE-2026-55116, impact a broader range of Ubiquiti products. They affect the UniFi Talk, UniFi Access, and UniFi Protect applications, as well as the core UniFi OS Server and various Ubiquiti routers, gateways, NAS devices, and surveillance systems.
While Ubiquiti has not yet confirmed any instances of these vulnerabilities being exploited in the wild, the company noted that six of the patched issues can be exploited through low-complexity attacks that do not require user interaction. This ease of exploitation raises concerns about potential widespread compromise if systems are not updated.
Threat intelligence data from Censys indicates that over 100,000 UniFi OS instances are exposed to the internet, with the United States accounting for nearly 50,000 of these. The exact number of these exposed instances that remain vulnerable or are secured is unknown, highlighting a significant potential attack surface.
Ubiquiti devices have historically been a target for both state-sponsored and cybercrime groups. These actors have frequently hijacked Ubiquiti products to build botnets used for concealing malicious activities, including cyberespionage. Past incidents include the FBI's dismantling of the Moobot botnet, which utilized compromised Ubiquiti Edge OS routers, and CISA's inclusion of a critical command injection flaw in Ubiquiti AirOS on its Known Exploited Vulnerabilities (KEV) catalog.
This latest batch of vulnerabilities underscores the ongoing security challenges faced by users of Ubiquiti's networking and IoT devices. The company's proactive patching and clear advisories are crucial for its user base, especially given the potential for these flaws to be chained or exploited in sophisticated attacks, as demonstrated in previous incidents involving similar vulnerabilities.