Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Ubiquiti Patches Critical UniFi OS Flaws Allowing Command Injection and Privilege Escalation: A Comprehensive Analysis




Ubiquiti has patched seven critical UniFi OS flaws, including one allowing command injection and privilege escalation. Organizations using affected versions are urged to update promptly to reduce compromise risks.

  • Ubiquiti has released security updates to address seven critical vulnerabilities in its UniFi OS platform.
  • The most severe vulnerability, CVE-2026-50746, allows malicious actors to execute arbitrary commands on the host device via improper access control.
  • CVE-2026-50747 affects the UniFi Talk Application with authenticated SQL injection flaws, while CVE-2026-50748 affects the UniFi Access Application due to improper input validation.
  • CVE-2026-54400 and CVE-2026-54402 allow low-privileged attackers to exploit SSRF vulnerabilities in multiple devices, potentially leading to privilege escalation.
  • CVE-2026-55115 affects UniFi OS/UniProtect environments due to a CORS misconfiguration, enabling unauthorized actions via an attacker's authenticated session.
  • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.



  • Ubiquiti, a leading provider of networking solutions, has recently released security updates to address seven critical vulnerabilities in its UniFi OS platform. The patches, which have been designated as having a maximum severity score of 10.0 on the Common Vulnerability Scoring System (CVSS), are aimed at preventing command injection attacks and privilege escalation exploits.

    The most severe vulnerability, CVE-2026-50746, affects the UniFi Connect Application and allows malicious actors to execute arbitrary commands on the host device. This issue was discovered due to an improper access control vulnerability found in the application. The patch for this vulnerability has been made available in Security Advisory Bulletin 066, which also includes fixes for six other critical vulnerabilities in the UniFi OS platform.

    Another critical vulnerability, CVE-2026-50747, affects the UniFi Talk Application and consists of authenticated SQL injection flaws. A low-privileged attacker with network access can exploit this issue to escalate privileges and gain control over the host device. Similarly, CVE-2026-50748 affects the UniFi Access Application due to improper input validation, allowing a low-privileged attacker to execute commands on the host device.

    Furthermore, CVE-2026-54400 affects the UniFi Access Application due to an improper access control issue, enabling high-privileged attackers to escalate privileges on affected host devices. Additionally, CVE-2026-54402 allows low-privileged attackers with network access to exploit an SSRF vulnerability in multiple UniFi OS devices, potentially leading to privilege escalation within UniFi OS environments.

    The final vulnerability, CVE-2026-55115, affects UniFi OS/UniFi Protect environments and is related to a CORS misconfiguration. An attacker can abuse a victim’s authenticated session to perform unauthorized actions.

    Ubiquiti has confirmed that no known exploitation of these vulnerabilities in the wild has been observed at the time of writing. However, the company strongly recommends updating affected products to the fixed versions listed in Security Advisory Bulletin 066 to mitigate potential risks.

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these Ubiquiti UniFi OS issues to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the need for prompt attention and action by organizations using affected products.

    In light of this vulnerability disclosure, it is essential for users to take proactive steps to secure their UniFi OS environments. This includes applying the provided patches as soon as possible, monitoring system logs for suspicious activity, and implementing additional security controls to prevent potential exploits.

    In conclusion, Ubiquiti's recent patching of critical vulnerabilities in its UniFi OS platform highlights the ongoing importance of cybersecurity awareness and proactive risk management. Organizations must prioritize updating their systems with the latest patches and maintaining a vigilant stance against emerging threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Ubiquiti-Patches-Critical-UniFi-OS-Flaws-Allowing-Command-Injection-and-Privilege-Escalation-A-Comprehensive-Analysis-ehn.shtml

  • https://securityaffairs.com/194978/security/ubiquiti-patches-critical-unifi-os-flaws-allowing-command-injection-and-privilege-escalation.html

  • https://nvd.nist.gov/vuln/detail/CVE-2026-50746

  • https://www.cvedetails.com/cve/CVE-2026-50746/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-50747

  • https://www.cvedetails.com/cve/CVE-2026-50747/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-50748

  • https://www.cvedetails.com/cve/CVE-2026-50748/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-54400

  • https://www.cvedetails.com/cve/CVE-2026-54400/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-54402

  • https://www.cvedetails.com/cve/CVE-2026-54402/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-55115

  • https://www.cvedetails.com/cve/CVE-2026-55115/


  • Published: Wed Jul 8 17:13:22 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us