Ubiquiti UniFi CVSS 10: patch the box that runs your office
Ubiquiti's UniFi Connect flaw CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on the host. Patch to 3.4.20 now.
If you run UniFi gear — and a lot of small offices, retail floors, and studios do — you have a patch to apply. Ubiquiti disclosed a maximum-severity flaw, CVE-2026-50746, rated CVSS 10.0, that lets an attacker already on your network run arbitrary commands on the device with no login required. The fix is out. The box won't install it by itself.
What actually happened
In early July, Ubiquiti published Security Advisory Bulletin 066, patching 25 vulnerabilities across the UniFi ecosystem — Network, Talk, Access, Protect, and Connect — seven of them rated critical. The headliner is CVE-2026-50746, a CVSS 10.0 improper-access-control bug in the UniFi Connect Application, the piece that manages building systems like displays, smart lighting, and EV chargers. Per Ubiquiti's advisory, a malicious actor with network access can exploit it to execute a command injection on the host device — no credentials, low attack complexity, no user interaction. It affects Connect version 3.4.16 and earlier; the fix is 3.4.20.
The exposure isn't theoretical. Threat-intelligence firm Censys counts over 100,000 UniFi OS instances reachable on the open internet, roughly half of them in the US, according to BleepingComputer. There's no confirmed active exploitation yet — but a no-auth, network-adjacent path to code execution on a device that sits at the edge of your network is exactly what gets weaponized fast once a proof-of-concept circulates.
Why it matters for your business
This is the same lesson as any self-hosted stack, just wearing a networking-vendor label: the appliance in your closet is yours to patch. UniFi is popular with small teams precisely because it's capable and you own it outright — no per-seat cloud tax. That ownership includes the security calendar. A CVSS 10.0 on the device that routes your traffic, and often holds VPN and camera access, is not a "get to it eventually" item. It's the kind of foothold that turns into lateral movement across everything else you run.
The failure mode is boring and common: nobody's job is to watch the vendor's advisory feed, so the controller sits three firmware versions behind until an incident makes it urgent. Fix the process, not just this bug.
Key takeaways
- CVE-2026-50746 (CVSS 10.0) lets an unauthenticated attacker on your network run commands on a UniFi Connect host — update to 3.4.20
- It's one of seven critical flaws in Security Advisory Bulletin 066, spanning UniFi Network, Talk, Access, Protect, and Connect (25 fixes in total)
- Censys counts 100,000+ UniFi OS devices exposed online, about half in the US; no confirmed exploitation yet, but the path is trivial
- Own the gear, own the patch cadence — put firmware updates on a named owner's calendar and keep management interfaces off the public internet
Not sure what's exposed on your own network? We set up and maintain the infrastructure small teams actually own — with a patch cadence that's someone's job, not an afterthought. See what we do or get a network exposure check.
Sources: Ubiquiti — Security Advisory Bulletin 066, BleepingComputer — Ubiquiti warns of new max severity UniFi OS vulnerability.
- #ubiquiti
- #cve
- #network-security
- #patching
- #unifi
Tommy Rush — Founder, Rush Commerce
Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More
Get The Rush Report weekly — one email, zero fluff.
Keep reading
Joomla page builders hit CVSS 10.0: patch your CMS now
Two Joomla page-builder extensions have unauthenticated CVSS 10.0 file-upload flaws that are already dropping web shells and hidden admin accounts. Your marketing site is attack surface.
Read itJetBrains Hub CVSS 9.8: patch your self-hosted dev tools
JetBrains patched a CVSS 9.8 account-takeover flaw in Hub plus auth-bypass and RCE bugs across YouTrack, TeamCity, and IntelliJ IDEs. Self-hosted means you patch.
Read it