CVE-2026-50746: a maximum-severity, network-access command-injection risk
Ubiquiti on Thursday released patches for seven critical UniFi OS vulnerabilities, calling particular attention to CVE-2026-50746 — a maximum-severity flaw in the UniFi Connect Application (versions 3.4.16 and earlier). The company said the weakness is an Improper Access Control that a network-accessible attacker can chain into a command injection on the host device. Ubiquiti advised customers to upgrade the UniFi Connect app to version 3.4.20 or later to remediate the flaw.
Six additional critical fixes across UniFi apps and appliances
Alongside CVE-2026-50746, Ubiquiti patched six more critical-severity flaws: CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, and CVE-2026-55116. Those repairs span the UniFi Talk, UniFi Access, and UniFi Protect applications, the company's UniFi OS Server, and a broad set of routers, gateways, NAS, and surveillance products. Ubiquiti has not disclosed whether any of the newly patched vulnerabilities were exploited in the wild prior to the updates.
Scale of the exposure: over 100,000 UniFi OS instances visible online
Threat intelligence provider Censys now tracks more than 100,000 UniFi OS instances exposed to the Internet, with nearly 50,000 of those IP addresses located in the United States. The public inventory provides a sense of scale but, as Ubiquiti noted, there are no public details on how many of those instances have been updated to remove the flaws or how many are decoys or honeypots.
Context from prior targeting and federal actions
Ubiquiti devices have been attractive targets for state-sponsored and criminal groups, the company noted. The report cites documented operations: in February 2024 the FBI dismantled Moobot, a botnet of Ubiquiti Edge OS routers the agency said was used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic for cyberespionage. In April 2022, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical command-injection flaw (CVE-2010-5330) in Ubiquiti AirOS to its catalog of actively exploited vulnerabilities and required U.S. government agencies to patch within three weeks. More recently, in June, CISA warned of active exploitation of three maximum-severity UniFi OS flaws that had been patched a month earlier and directed agencies to secure affected systems within three days.
Independent research has also amplified the practical risk: security firm Bishop Fox demonstrated that certain UniFi OS flaws can be chained to achieve remote code execution with elevated privileges and released a free detection script to help defenders locate vulnerable instances.
What this means for technologists, agencies, and commercial building operators
- Technologists and security teams: Ubiquiti's direct mitigation is to update UniFi Connect to version 3.4.20 or later; the company’s patching also covers other UniFi apps and devices listed in its advisory. The vendor warned that six of the fixed vulnerabilities can be exploited in low-complexity attacks that do not require user interaction, increasing the urgency for prompt patching.
- Policymakers and agencies: The advisory arrives against a recent pattern of rapid federal directives and active exploitation warnings from CISA. Agencies that face similar risk profiles will weigh Ubiquiti’s update guidance against prior CISA timelines (three weeks in April 2022 and three days in June) when deciding whether to mandate immediate patching.
- Commercial building owners and operators: UniFi Connect Application is marketed for automating and managing commercial building operations — including smart LED lighting systems and electric vehicle chargers. The vulnerability therefore has direct operational implications for facilities that use UniFi Connect to centralize building controls.
Ubiquiti's patches close a set of high-severity technical gaps, but the public footprint of more than 100,000 online UniFi OS instances and the history of exploitation reminders from federal agencies mean questions remain about how rapidly the exposed base will be updated. The company has provided a specific remediation path — upgrade UniFi Connect to version 3.4.20 or later — while independent researchers and federal bodies continue to track and test for chained exploits and active campaigns.
Read the original advisory and reporting: https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-new-max-severity-unifi-os-vulnerability/




