Lead Analysis
Security & Risk5 min

Ubiquiti Releases CVE-2026-50746 with CVSS 10.0 on UniFi Connect, Exposing 100,000 Endpoints to the Internet

Rack de rede predial iluminado por lanterna, controlador UniFi com LED vermelho aceso

Access control vulnerability allows command execution without authentication on adjacent networks and is part of the SAB-066 package, which addresses 25 vulnerabilities in the UniFi line.

Ubiquiti announced on Wednesday the release of security bulletin SAB-066, which addresses 25 vulnerabilities in the UniFi portfolio. The most severe, CVE-2026-50746, received a CVSS score of 10.0 and affects the UniFi Connect Application in versions equal to or lower than 3.4.16. The patch is included in version 3.4.20.


The nature of this vulnerability is Improper Access Control (CWE-284). The command execution path of UniFi Connect is accessible without authentication, giving an attacker on an adjacent network the ability to execute arbitrary code on the host. The CVSS vector indicates a low complexity attack, requiring no privileges and no user interaction. In operational terms, it represents the worst possible scenario: once the attacker has IP visibility of the service, compromise is immediate.


Scope of Exposure


Data from Censys, referenced by multiple security researchers analyzing the bulletin, indicates around 100,000 UniFi OS endpoints reachable via the public internet. This number includes appliances from the UDM, UNVR, and UNAS families, which share the UniFi OS base even when the UniFi Connect is not in use. Not all run the vulnerable component, but the potential attack surface requiring urgent triage is one of the largest of the year.


SAB-066 includes two other vulnerabilities with CVSS scores of 9.9. CVE-2026-54402 allows command injection in UniFi OS. CVE-2026-55115 enables privilege escalation via SSRF in UniFi Protect, the vendor's video system. Together, these three vectors cover the network management chain, from device orchestrator to physical security subsystem.


Where the Flaw Really Hurts


UniFi Connect is the console that Ubiquiti markets for building operation: managing LED lighting, electric vehicle chargers, and integrations with access control. In corporate environments, the console often runs on a facilities-segmented network, isolated from production but almost never from the management data center. This poses a typical lateral attack surface: compromising facilities provides a pivot point to the corporate Active Directory in a significant portion of the installations.


Companies standardizing on UniFi for retail, coworking, and logistics often have dozens or hundreds of sites with the same network template. The patch operation in this scenario is not an upgrade of a central server: it is a coordinated rollout at each location, often dependent on overnight maintenance windows and without a local vendor SLA.


Considerations for SOCs Across Markets


In the United States, the SMB and mid-market sectors concentrate a significant portion of the UniFi base, exactly the segment with the lowest maturity in vulnerability management. Managed network service providers servicing this base will face weeks of work to address the backlog. In Europe, this bulletin arrives just as the NIS2 directive goes into effect, requiring essential operators to report and mitigate within short timeframes: an incident related to this CVE in a grocery chain or logistics operator triggers notification obligations in several countries within the bloc.


In Brazil, Anatel certifies a large part of the UniFi line, and the product is common in shopping centers, hospitals, and mid-sized clinics. The LGPD and Resolution BC 4,658 give this vulnerability regulatory weight in financial operations that outsource physical network management. In markets such as Japan and Singapore, the density of UniFi in commercial buildings recently integrated into smart building platforms presents an even tighter update window, with integrators needing to coordinate patches alongside ongoing maintenance contracts.


What to Do Beyond the Patch


The manufacturer recommends an immediate upgrade to UniFi Connect 3.4.20 or higher and a review of the other items in SAB-066. Security teams unable to apply the patch in the next 24 hours should cut off access to the management plane from the internet, enforce VPN for administration, and review network logs for anomalous access to the application endpoint. Censys has already listed queries for identifying the vulnerable version en masse shortly after the bulletin was released, reducing the window between publication and opportunistic scanning. Detection teams should also activate rules for the typical payload pattern of CWE-284 exploitation in the UniFi Connect HTTP endpoint and review outgoing telemetry from devices, as exfiltration after command execution often passes through poorly filtered DNS tunnels in facilities segments.


This case again exposes a choice that CISOs have been postponing: when the same vendor provides switches, cameras, and access control, a critical vulnerability affects three domains at the same time. The convergence of infrastructure simplifies purchasing but complicates response.

Lead Analysis