H-ISAC TLP White Vulnerability Bulletin Multiple Critical Flaws Patched in Ubiquiti UniFi OS - July 8, 2026
On July 2, 2026, Ubiquiti released critical security updates to patch seven severe vulnerabilities across its UniFi OS ecosystem, including a maximum-severity flaw CVE-2026-50746 in the UniFi Connect Application.
Additional Info
Analysis
The CVE-2026-50746 flaw allows network-based attackers to execute command injection attacks against systems that manage smart building operations, such as EV chargers and lighting.
Six additional critical flaws tracked as CVE-2026-50747, CVE-2026-50748, CVE-2026-54400, CVE-2026-54402, CVE-2026-55115, CVE-2026-55116, affect other major components, including UniFi Talk, Access, Protect, routers, gateways, and storage systems, and can be exploited via low-complexity attacks requiring zero user interaction.
While there is no current evidence that these flaws are being exploited in the wild, threat intelligence firms have identified over 100,000 internet-exposed UniFi OS instances, making them prime targets for cybercriminals and state-sponsored groups that have historically hijacked Ubiquiti hardware to build stealthy botnets.
Recommendations
- Apply the latest firmware and software updates to your UniFi routers, gateways, Protect cameras, Access systems, Talk apps, and UniFi OS Servers to patch the flaws.
- If your UniFi OS management portal is exposed to the public internet, restrict external access. Use a secure VPN or UniFi’s official cloud portal to manage your network instead of leaving it directly searchable online.
- Enable automatic security updates in your UniFi OS settings so your system receives emergency patches as soon as they are released.
Review the Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients Resources.
View the detailed report below.
For help with Cybersecurity and Risk Advisory Services exclusively for AHA members, contact: