Ubiquiti has shipped updates to address multiple critical security flaws impacting UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could result in privilege escalation and arbitrary command execution.
The list of vulnerabilities is as follows –
- CVE-2026-50746 (CVSS score: 10.0) – An improper access control vulnerability in UniFi Connect Application that an attacker with access to the network could exploit to execute a command injection on the host device. (Affects versions 3.4.16 and earlier; fixed in version 3.4.20)
- CVE-2026-50747 (CVSS score: 9.9) – A series of authenticated SQL injection vulnerabilities in UniFi Talk Application that an attacker with access to the network could exploit to escalate privileges on the host device. (Affects versions 5.1.2 and earlier; fixed in version 5.2.2)
- CVE-2026-50748 (CVSS score: 9.9) – An improper input validation vulnerability in UniFi Access Application that an attacker with access to the network could exploit to execute a command injection on the host device. (Affects versions 4.2.28 and earlier; fixed in version 4.2.29)
- CVE-2026-54400 (CVSS score: 9.1) – An improper access control vulnerability in UniFi Access Application that an attacker with access to the network could exploit to escalate privileges on the host device. (Affects versions 4.2.28 and earlier; fixed in version 4.2.29)
- CVE-2026-55115 (CVSS score: 9.9) – A Server-Side Request Forgery (SSRF) vulnerability in UniFi Protect Application that an attacker with access to the network and low privileges could exploit to escalate privileges on the host device. (Affects 7.1.77 and earlier; fixed in version 7.1.83)
- CVE-2026-54402 (CVSS score: 9.9) – An improper input validation vulnerability in UniFi OS that an attacker with access to the network could exploit to execute a command injection on the host device. (Affects versions 5.1.15 and earlier; fixed in version 5.1.19)
- CVE-2026-55116 (CVSS score: 9.0) – An improper access control vulnerability in UniFi OS that an attacker with access to the network could exploit to make unauthorized changes to certain devices. (Affects versions 5.1.15 and earlier; fixed in version 5.1.19)
While there is no evidence that the flaws have been exploited in the wild, a set of three vulnerabilities in UniFi OS (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) was flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as having been weaponized in real-world attacks last month.
Russian state-sponsored threat actors have also been observed enlisting compromised Ubiquiti Edge OS routers into a botnet designed to proxy malicious traffic. The botnet, dubbed MooBot, was felled in a law enforcement operation in February 2024.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
