ctipilot.ch
← Back to the live brief
NOTABLECVE-2026-50746 +5vulnerability

Ubiquiti UniFi SAB-066 — 25 vulnerabilities incl. unauthenticated CVSS 10.0 command injection in UniFi Connect (CVE-2026-50746)

discovered 2026-07-08 20:35 UTCrun 2026-07-08T2009Z-intel2 sourcesmulti-source

NCSC-NL published advisory NCSC-2026-0221 on 7 July 2026 covering Ubiquiti's Security Advisory Bulletin 066 (vendor-published 2026-07-02): 25 vulnerabilities spanning the UniFi Connect, Talk, Access, Network and Protect applications plus the UniFi OS platform itself across the Dream Machine / Cloud Gateway / Cloud Key / Network-Video-Recorder / Enterprise-Fortress-Gateway hardware families (NCSC-NL, 2026-07-07). This is a distinct, larger disclosure from the CVE-2026-34908/-34909/-34910 UniFi OS chain covered on 2026-06-24 — different CVEs, broader scope. The most severe, CVE-2026-50746 (CVSS 10.0), is an improper-access-control flaw in UniFi Connect (< 3.4.20) letting a network-adjacent unauthenticated attacker execute OS command injection on the host device; CVE-2026-50747 (CVSS 9.9, authenticated SQLi in Talk), CVE-2026-50748 (CVSS 9.9, command injection in Access), CVE-2026-54402 (CVSS 9.9, command injection in UniFi OS) and CVE-2026-55115 (CVSS 9.9, SSRF in Protect) round out the critical set, and CVE-2026-54403 (CVSS 8.6, path traversal in UniFi OS) bypasses authentication outright and is explicitly flagged by Ubiquiti as chainable to drop the low-privilege prerequisite of the others. SOCRadar confirms no functional public PoC and no confirmed in-the-wild exploitation as of 2026-07-08 (SOCRadar, 2026-07-08). Defender takeaway: UniFi gear is dense across DACH/EU schools, municipal government and SME networks, and the June UniFi disclosure showed the platform is actively targeted once exposed; there is no interim mitigation for any of the 25 flaws, so the operational move is to patch the affected applications/OS and, independent of patch state, pull every UniFi management interface off internet/WAN exposure and watch UniFi Protect hosts for SSRF-style outbound probing of internal service endpoints.

Defender actions

  • Update UniFi Connect ≥ 3.4.20, Talk ≥ 5.2.2, Access ≥ 4.2.29, Protect ≥ 7.1.83 and UniFi OS ≥ 5.1.19; no interim mitigation is documented for any of the 25 CVEs.
  • Segregate every UniFi management-plane interface (controller UI, Connect, Talk, Access) from general LAN/internet exposure regardless of patch state — several flaws need only network adjacency and no or low privilege.
PROVENANCE

AI-generated · no human review · this permalink is the shareable record for the finding · verify operationally critical claims against the linked primary source.