People Trust UniFi Because It Looks Clean. 100,000 of Them Are One Passwordless Command From Takeover.
- Patrick Duggan
- 4 minutes ago
- 4 min read
Here is the honest disclosure up front, because receipts cut both ways: we do not have a receipt on this one. We did not flag it early, we have no prior post to point at, and nobody has confirmed in-the-wild exploitation yet. This is a patch-ahead warning, not a victory lap. We are writing it anyway, because the thing that makes UniFi dangerous is the exact thing that keeps it off everyone's threat model — people trust it, and the trust is the vulnerability.
On July 2, Ubiquiti published Security Advisory Bulletin 066 and quietly disclosed twenty-five vulnerabilities across the UniFi ecosystem — UniFi OS and the Connect, Talk, Access, Protect, and Network applications that ride on top of it. The one that should have set off every alarm in the building is CVE-2026-50746: a perfect CVSS 10.0 in the UniFi Connect application that lets any attacker on the network execute operating-system commands with no credentials at all. A 10.0 is not a bad day. A 10.0 means the worst possible answer to every single scoring question at once — reachable over the network, trivial to exploit, no privileges required, no user interaction, and total loss of confidentiality, integrity, and availability. It is the highest score the scale can produce, and it lives in a product a lot of people installed specifically so they would not have to think about security.
It is not alone. CVE-2026-50747, a 9.9, is an authenticated SQL injection in UniFi Talk 5.1.2 and earlier that a low-privileged attacker rides all the way to full control of the host. CVE-2026-50748, another 9.9, is a command-injection flaw in UniFi Access 4.2.28 and earlier — and read that product name again, because UniFi Access is the software that controls the physical door locks. A command-injection bug in the thing holding your front door shut is a special kind of problem. Access, Talk, Connect: the three worst bugs in the batch are in the three applications people bought precisely because Ubiquiti made physical security, phones, and displays feel as easy as plugging in a light.
That is the whole story, and it is why we are breaking our own no-receipt rule to tell it. UniFi built the best-looking network gear on the consumer and small-business market. The dashboard is gorgeous. The setup is fifteen minutes. The little topology map animates. And somewhere in the last decade that slickness quietly became a security claim in people's heads that Ubiquiti never actually made — that because it looks like an Apple product, it is safe like people imagine an Apple product is. It is not a security product. It is a Linux appliance with a beautiful front-end, and a Linux appliance with a beautiful front-end running an unauthenticated command-execution bug is exactly as owned as an ugly one. The paint does not stop the exploit.
Now the number that turns this from a homelab footnote into an initial-access story. Roughly one hundred thousand UniFi OS endpoints are reachable directly from the public internet right now. That is one hundred thousand appliances — sitting in dentists' offices, small law firms, franchise back-rooms, MSP client sites, and the spare bedrooms of people who run their whole home on this stuff — one unauthenticated request away from a shell. This is the exact thesis we have been hammering since May, when we called it Edge-Appliance Week: the foot in the door is every foot. The perimeter appliance is the initial-access surface, whichever vendor's logo is on the bezel, and the ransomware crews we track have spent 2026 converging on precisely this category — the management and access plane, internet-exposed, under-monitored, trusted by default. UniFi has just handed them a hundred thousand fresh doors with a perfect-10 lock defect, and unlike the enterprise VPN appliances in that cluster, half of these are run by someone with no security team, no patch calendar, and a genuine belief that the pretty box takes care of itself.
So do the unglamorous thing tonight. If you run UniFi Connect 3.4.16 or earlier, UniFi Talk 5.1.2 or earlier, UniFi Access 4.2.28 or earlier, UniFi OS Server 5.1.15 or earlier, or UniFi Protect 7.1.77 or earlier, update now — Ubiquiti has shipped fixes for all of it. Then do the thing the pretty UI trained you not to do: check whether your UniFi controller is reachable from the open internet at all, and if it is, get it behind a VPN or off the public address entirely. The management plane of your network should never have been answering to strangers, 10.0 or no 10.0. And if UniFi Access is holding your physical doors, treat this as the physical-security incident it actually is, not just an IT ticket.
We hold this at 95 percent like everything else — no confirmed exploitation yet, and maybe the window closes before the crews get organized. But a hundred thousand exposed endpoints, a public advisory with a roadmap, and an unauthenticated perfect-10 is not a combination that stays quiet, and the population running these devices is the least equipped to notice when it stops being quiet. The reason we wrote this without a receipt is that the receipt, if we wait for it, gets written in someone's compromised network. Patch the pretty box. It was never guarding itself.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
