ctipilot.ch

Ubiquiti UniFi Protect SSRF privilege escalation (CVSS 9.9), SAB-066

cve · CVE-2026-55115

Coverage timeline
1
first 2026-07-08 → last 2026-07-08
Entries
1
1 distinct days
Sources cited
2
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
5
see Related entities below

Story timeline

  1. 2026-07-08Ubiquiti UniFi SAB-066 — 25 vulnerabilities incl. unauthenticated CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746)
    trending-vulnerabilitiesNCSC-NL flags Ubiquiti UniFi SAB-066: unauthenticated CVSS 10.0 command injection plus 24 more

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • advisories.ncsc.nl1 (50%)
  • socradar.io1 (50%)

Related entities

Entries about Ubiquiti UniFi Protect SSRF privilege escalation (CVSS 9.9), SAB-066 (1)

2026-07-08 · view entry permalink →

Ubiquiti UniFi SAB-066 — 25 vulnerabilities incl. unauthenticated CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746)

NCSC-NL published advisory NCSC-2026-0221 on 7 July 2026 covering Ubiquiti's Security Advisory Bulletin 066 (vendor-published 2026-07-02): 25 vulnerabilities spanning the UniFi Connect, Talk, Access, Network and Protect applications plus the UniFi OS platform itself across the Dream Machine / Cloud Gateway / Cloud Key / Network-Video-Recorder / Enterprise-Fortress-Gateway hardware families (NCSC-NL, 2026-07-07). This is a distinct, larger disclosure from the CVE-2026-34908/-34909/-34910 UniFi OS chain covered on 2026-06-24 — different CVEs, broader scope. The most severe, CVE-2026-50746 (CVSS 10.0), is an improper-access-control flaw in UniFi Connect (< 3.4.20) letting a network-adjacent unauthenticated attacker execute OS command injection on the host device; CVE-2026-50747 (CVSS 9.9, authenticated SQLi in Talk), CVE-2026-50748 (CVSS 9.9, command injection in Access), CVE-2026-54402 (CVSS 9.9, command injection in UniFi OS) and CVE-2026-55115 (CVSS 9.9, SSRF in Protect) round out the critical set, and CVE-2026-54403 (CVSS 8.6, path traversal in UniFi OS) bypasses authentication outright and is explicitly flagged by Ubiquiti as chainable to drop the low-privilege prerequisite of the others. SOCRadar confirms no functional public PoC and no confirmed in-the-wild exploitation as of 2026-07-08 (SOCRadar, 2026-07-08). Defender takeaway: UniFi gear is dense across DACH/EU schools, municipal government and SME networks, and the June UniFi disclosure showed the platform is actively targeted once exposed; there is no interim mitigation for any of the 25 flaws, so the operational move is to patch the affected applications/OS and, independent of patch state, pull every UniFi management interface off internet/WAN exposure and watch UniFi Protect hosts for SSRF-style outbound probing of internal service endpoints.

vulnerability08 Jul 20:35Zmulti-sourceOpen finding ↗