H-ISAC TLP White Vulnerability Bulletin Multiple Critical Flaws Patched in Ubiquiti UniFi OS - July 8, 2026

On July 2, 2026, Ubiquiti released critical security updates to patch seven severe vulnerabilities across its UniFi OS ecosystem, including a maximum-severity flaw CVE-2026-50746 in the UniFi Connect Application.

Additional Info

Analysis

The CVE-2026-50746 flaw allows network-based attackers to execute command injection attacks against systems that manage smart building operations, such as EV chargers and lighting.

Six additional critical flaws tracked as CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, CVE-2026-55116, affect other major components, including UniFi Talk, Access, Protect, routers, gateways, and storage systems, and can be exploited via low-complexity attacks requiring zero user interaction.

While there is no current evidence that these flaws are being exploited in the wild, threat intelligence firms have identified over 100,000 internet-exposed UniFi OS instances, making them prime targets for cybercriminals and state-sponsored groups that have historically hijacked Ubiquiti hardware to build stealthy botnets.

Recommendations

  • Apply the latest firmware and software updates to your UniFi routers, gateways, Protect cameras, Access systems, Talk apps, and UniFi OS Servers to patch the flaws.
  • If your UniFi OS management portal is exposed to the public internet, restrict external access. Use a secure VPN or UniFi’s official cloud portal to manage your network instead of leaving it directly searchable online.
  • Enable automatic security updates in your UniFi OS settings so your system receives emergency patches as soon as they are released.

Review the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients Resources.

View the detailed report below.

For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact:

John Riggi

National Advisor for Cybersecurity and Risk, AHA

jriggi@aha.org

(O) +1 202 626 2272