Ubiquiti Patches Max-Severity UniFi Connect Command Injection
Ubiquiti Bulletin 066 patches seven critical UniFi flaws, headlined by a CVSS 10.0 command injection in UniFi Connect 3.4.16 and earlier. Fix: 3.4.20 or later.
Ubiquiti’s Security Advisory Bulletin 066 covers seven critical vulnerabilities across the UniFi line. The lead item is CVE-2026-50746, a CVSS 10.0 command injection in UniFi Connect versions 3.4.16 and earlier, fixed in 3.4.20. The other six score between 9.0 and 9.9 and touch UniFi OS, UniFi Access, and adjacent applications on the same devices.
What the mechanics look like
CVE-2026-50746 is an improper access control that lets “a malicious actor with access to the network” execute a command injection on the host device, per Ubiquiti’s advisory as summarized by BleepingComputer. Six of the seven bulletin items are low-complexity and require no user interaction. The advisory language (“access to the network”) does not spell out whether authentication is required to reach the vulnerable path; the CVSS 10.0 vector on the max-severity item is consistent with none.
The rest of the bulletin, verified against NVD:
- CVE-2026-50747 — CVSS 9.9, critical.
- CVE-2026-50748 — CVSS 9.9, critical.
- CVE-2026-54400 — CVSS 9.1, critical. UniFi Access — improper access control that lets a network attacker with existing high privileges escalate on the host.
- CVE-2026-54402 — CVSS 9.9, critical.
- CVE-2026-55115 — CVSS 9.9, critical.
- CVE-2026-55116 — CVSS 9.0, critical. UniFi OS — an improper access control on devices in “certain network configurations” that permits unauthorized changes to the device itself.
The bulletin does not publish exploitation mechanics beyond those descriptions, and this piece will not either.
Why this class of box matters
UniFi is the network gear on the physical layer of a lot of small businesses, campuses, and prosumer setups — the switch in the closet since 2018, the gateway that never got enrolled in an inventory system, the AP still running whatever firmware shipped in the box it was pulled out of. Ubiquiti’s own community forums are full of installs that haven’t been touched in years because they “just work.” A CVSS 10.0 command injection reachable from the LAN turns that legacy footprint into a network foothold, and the six adjacent 9.x bugs mean the fallback is not much better than the primary.
Exploitation in the wild has not been confirmed and no public PoC has been posted — Ubiquiti “has yet to disclose whether any of these vulnerabilities were exploited in the wild,” per BleepingComputer’s read of the advisory. That is the state as of publication; it is not a promise about tomorrow.
What to do this week
Sign into UniFi Network or UniFi OS and compare the running version against Bulletin 066. If UniFi Connect is deployed anywhere in the estate, that one goes first — pin it to 3.4.20 or later. Same for UniFi OS and UniFi Access on any device the bulletin lists as affected. For anything management-plane-adjacent that is still reachable from a client VLAN, put that reachability on a separate to-do: this is a good week to audit which of your UniFi boxes should be answering pings from workstations at all, patched or not.
Found this useful? Share it.