Ubiquiti Patches Seven Critical UniFi Flaws — What Small Offices Should Do This Week

A UniFi network diagram with one node flagged critical at CVSS 10.0

Ubiquiti released patches this week for seven critical vulnerabilities across its UniFi product line — the routers, switches, access points, and cameras that a huge number of small offices, cafes, clinics, and co-working spaces run their networks on. The worst of the seven, tracked as CVE-2026-50746, scores a perfect 10.0 on the severity scale. It sits in the UniFi Connect application and lets someone who already has access to your network run arbitrary commands on the device — no password guessing, no user clicking a bad link, just network access and the flaw does the rest.

The other six aren't far behind: SQL injection in UniFi Talk, command injection in UniFi Access, an access-control gap that lets an attacker mess with device settings in UniFi OS, and a server-side request forgery bug in UniFi Protect (the camera/NVR software). All six score 9.0 or higher. Security researchers who scan the public internet count over 100,000 UniFi OS systems exposed online, tens of thousands of them in the US alone — so this isn't a theoretical problem sitting in a lab somewhere.

There's no confirmed sign yet that anyone is actively exploiting these seven, which is the good news. The less good news is that Ubiquiti gear has been a repeat target before, and a CVSS 10.0 sitting unpatched in the wild tends not to stay quiet for long.

What this means for your business

If your office network runs on UniFi hardware — and a lot of small businesses do, because it's affordable and easy to self-manage — this is worth ten minutes of someone's time this week, not a "get to it eventually" item.

  • Open the UniFi network application (or the UniFi mobile app) and check for a pending firmware/software update. Apply it. The fixed versions are UniFi Connect 3.4.20, UniFi Talk 5.2.2, UniFi Access 4.2.29, UniFi Protect 7.1.83, and UniFi OS 5.1.19 — anything older than these on the relevant product is exposed.
  • If nobody in your business currently owns "does our router have the latest firmware", that's the actual gap here — not this specific bug. Hardware quietly ages out of attention once it's plugged in and working.
  • If you're not sure whether your setup is UniFi at all, ask whoever installed your network gear, or ask us — we're happy to take a quick look as part of a general setup review.

The broader habit worth building: network equipment needs the same patch discipline as laptops and phones, and it's usually nobody's job by default. Whoever set up the office Wi-Fi three years ago probably isn't checking firmware changelogs today.

Questions about your own setup? support@techleetsolutions.com
Sources: BleepingComputer, The Hacker News