UBIQUITI has issued UniFi Security Advisory Bulletin 066, addressing 25 vulnerabilities across its range of products, including critical flaws in the UniFi Connect app that could allow attackers to execute commands without login. The advisory emphasizes the broad impact on home users, small businesses, and large infrastructures running UniFi equipment, which could potentially allow unauthorized access to sensitive functions such as video feeds and door controls.
Key vulnerabilities include:
- **Command Injection and Remote Code Execution**: Notably, CVE-2026-50746 affects the UniFi Connect app with a critical score of 10.0.
- **SQL Injection and SSRF**: Some vulnerabilities require valid logins, with low-level accounts possibly achieving admin levels.
- **Path Traversal and Authentication Bypass**: Specific flaws allow bypassing login checks.
- **Denial of Service**: Certain issues could disrupt service or camera access.
Affected products and versions include various apps and devices within the UniFi ecosystem, with a recommendation for users to promptly update their systems. There are no known active exploits or attacks at this time, but given the severity of the vulnerabilities, immediate patching is advised.