Ethical Hacking News
Ubiquiti has issued critical security patches to address multiple vulnerabilities in its UniFi network management platform. The patches aim to mitigate the risks associated with privilege escalation and arbitrary command execution, highlighting the ongoing need for vigilance when it comes to IoT device security.
Ubiquiti has issued critical security patches for multiple vulnerabilities in its UniFi network management platform.These vulnerabilities, including CVE-2026-50746 and CVE-2026-50747, pose an "extremely high" risk of exploitation and allow attackers to execute command injections or escalate privileges.A total of six distinct CVEs have been identified, with four carrying a CVSS score of 9.9 or higher.Users are advised to monitor their UniFi systems for unusual activity and ensure all firmware and software are up-to-date.Implementing robust security measures such as firewalls and intrusion detection systems can significantly reduce the risk associated with vulnerabilities in IoT devices like UniFi.
Ubiquiti has issued a series of critical security patches to address multiple vulnerabilities in its popular UniFi network management platform. The patches, which were released across various platforms including UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS, aim to mitigate the risks associated with privilege escalation and arbitrary command execution.
The list of vulnerabilities identified by Ubiquiti is extensive, encompassing no fewer than six distinct CVEs (Common Vulnerability and Exposure) each bearing a unique CVSS (Common Vulnerability Scoring System) score. Among these, CVE-2026-50746 stands out for its CVSS score of 10.0, indicating an "extremely high" risk of exploitation. This vulnerability, which affects versions 3.4.16 and earlier of the UniFi Connect Application, enables an attacker with access to the network to execute a command injection on the host device.
Similarly, CVE-2026-50747 boasts a CVSS score of 9.9, indicating "extremely high" risk as well. This vulnerability affects versions 5.1.2 and earlier of the UniFi Talk Application and allows an attacker with access to the network to escalate privileges on the host device.
In addition to these two vulnerabilities, CVE-2026-50748 also carries a CVSS score of 9.9, making it another "extremely high" risk vulnerability affecting versions 4.2.28 and earlier of the UniFi Access Application. This vulnerability enables an attacker with access to the network to execute a command injection on the host device.
Furthermore, CVE-2026-54400 bears a CVSS score of 9.1, indicating "high" risk. This vulnerability affects versions 4.2.28 and earlier of the UniFi Access Application as well, allowing an attacker with access to the network to escalate privileges on the host device.
Additionally, CVE-2026-55115 carries a CVSS score of 9.9, indicating "extremely high" risk. This vulnerability affects versions 7.1.77 and earlier of the UniFi Protect Application, enabling an attacker with low privileges and access to the network to escalate privileges on the host device through Server-Side Request Forgery (SSRF).
Lastly, CVE-2026-54402 also bears a CVSS score of 9.9, indicating "extremely high" risk. This vulnerability affects versions 5.1.15 and earlier of the UniFi OS, enabling an attacker with access to the network to execute a command injection on the host device.
It is worth noting that while there have been no reported instances of these vulnerabilities being exploited in the wild, a set of three vulnerabilities in UniFi OS (CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910) was flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) as having been weaponized in real-world attacks last month.
In a separate development, Russian state-sponsored threat actors have been observed enlisting compromised Ubiquiti Edge OS routers into a botnet designed to proxy malicious traffic. This botnet, dubbed MooBot, was felled in a law enforcement operation in February 2024.
The critical nature of the vulnerabilities identified by Ubiquiti highlights the ongoing need for vigilance and proactive security measures when it comes to IoT devices. As the number of connected devices continues to grow at an exponential rate, so too does the potential risk associated with these devices being compromised by malicious actors.
In light of this latest development, users are advised to monitor their UniFi systems closely for any signs of unusual activity or unauthorized access. Furthermore, users should take steps to ensure that all firmware and software are up-to-date, as well as implementing robust security measures such as firewalls and intrusion detection systems.
By taking these precautions, individuals can significantly reduce the risk associated with vulnerabilities in IoT devices like UniFi.
Related Information:
https://www.ethicalhackingnews.com/articles/Ubiquiti-Patches-Critical-UniFi-Flaws-Across-Multiple-Platforms-A-Cautionary-Tale-for-IoT-Security-ehn.shtml
https://thehackernews.com/2026/07/ubiquiti-patches-critical-unifi-flaws.html
https://nvd.nist.gov/vuln/detail/CVE-2026-50746
https://www.cvedetails.com/cve/CVE-2026-50746/
https://nvd.nist.gov/vuln/detail/CVE-2026-50747
https://www.cvedetails.com/cve/CVE-2026-50747/
https://nvd.nist.gov/vuln/detail/CVE-2026-50748
https://www.cvedetails.com/cve/CVE-2026-50748/
https://nvd.nist.gov/vuln/detail/CVE-2026-54400
https://www.cvedetails.com/cve/CVE-2026-54400/
https://nvd.nist.gov/vuln/detail/CVE-2026-55115
https://www.cvedetails.com/cve/CVE-2026-55115/
https://nvd.nist.gov/vuln/detail/CVE-2026-54402
https://www.cvedetails.com/cve/CVE-2026-54402/
https://nvd.nist.gov/vuln/detail/CVE-2026-34908
https://www.cvedetails.com/cve/CVE-2026-34908/
https://nvd.nist.gov/vuln/detail/CVE-2026-34909
https://www.cvedetails.com/cve/CVE-2026-34909/
https://nvd.nist.gov/vuln/detail/CVE-2026-34910
https://www.cvedetails.com/cve/CVE-2026-34910/
Published: Wed Jul 8 10:33:20 2026 by llama3.2 3B Q4_K_M