JH← Back to blog

CVE-2026-50746: A CVSS 10.0 in UniFi Connect Puts 100,000 Networks in the Blast Radius

An unauthenticated command injection flaw in Ubiquiti's UniFi Connect scored a perfect 10.0 — and roughly 100,000 internet-facing endpoints are exposed right now. Here's what to patch and audit today.


Ubiquiti's UniFi gear runs a huge share of small-business and MSP-managed networks precisely because it's cheap and easy to deploy without a dedicated network engineer. That same accessibility is why Security Advisory Bulletin 066, disclosed July 8, is a genuine emergency: 25 vulnerabilities, headlined by CVE-2026-50746, a CVSS 10.0 improper access control flaw in UniFi Connect that lets an unauthenticated, network-adjacent attacker inject and execute commands. No login, no session token, no prior foothold. Researchers estimate around 100,000 UniFi OS endpoints are currently reachable from the public internet.

What makes this a 10.0

The CVSS vector — network-based, low complexity, zero privileges, no user interaction, full compromise of confidentiality, integrity, and availability — is the textbook combination that earns a perfect score. UniFi Connect specifically manages access control, intercoms, and building-management integrations, so this isn't just "an attacker gets a switch." A compromised instance tied to door hardware could remotely unlock doors, silence intercom alerts, or scrub access logs during a physical intrusion. That's a cybersecurity bug with a physical-security blast radius most incident response plans aren't built to handle.

The 24 vulnerabilities getting less attention

Bulletin 066 also disclosed authenticated SQL injection flaws in UniFi Talk (version 5.1.2 and earlier) that let an attacker with existing low-level network access escalate privileges. On their own they need a foothold — but chained with a phished credential or compromised guest Wi-Fi, they become a privilege-escalation path into the rest of your UniFi stack. Patch the CVSS 10.0 item first, but don't stop there: pull the full affected-version list and treat every match as required, not optional.

The MSP multiplier

For MSPs, one careless configuration template can replicate across every client site provisioned from it. If a standard deployment leaves UniFi Connect reachable from the internet — even unintentionally, via a stray port forward or a cloud-management default — that mistake could be live in dozens of client environments simultaneously. This warrants a full portfolio audit, not a per-ticket fix as clients happen to ask.

What to do now

  1. Patch immediately: UniFi Talk to 5.2.2+, UniFi Connect to 3.4.20+. Don't wait for a maintenance window on anything internet-facing.
  2. Audit exposure — check whether any UniFi Connect or Talk interface is reachable from outside your network.
  3. Put management traffic behind a VPN or restricted VLAN regardless of patch status. It should never sit directly on the internet.
  4. Review logs for unexpected process execution, unfamiliar outbound connections, or configuration changes since the vulnerability was likely introduced.
  5. Work through the rest of the Bulletin 066 list, not just the headline CVE.
  6. Document patch dates and exposure audits — auditors increasingly want CVE-specific remediation timelines, not generic policy statements.

Once a CVSS 10.0 in widely deployed network hardware gets public attention, mass scanning tends to start within days, not weeks. If UniFi Connect or Talk is anywhere in your environment, this is a same-day task — and a good prompt to ask whether your organization tracks vendor security bulletins for networking gear as rigorously as it does for servers and endpoints.