Seven critical bugs in Ubiquiti's SAB-066 include CVE-2026-50746, a CVSS 10.0 flaw in UniFi Connect that lets anyone with network access run arbitrary OS commands without credentials.
About 100,000 UniFi OS endpoints are reachable from the public internet, Censys said, sharply widening the patch window for Connect 3.4.16 and earlier and other affected UniFi products.
Six companion flaws rated 9.0 to 9.9 hit UniFi Talk, Access, Protect and OS Server, and Ubiquiti said one path-traversal bug can help bypass low-privilege requirements in some attack chains.
The disclosure follows a separate UniFi bug chain patched six weeks ago that CISA added to its exploited-vulnerabilities list on June 23 after Mirai-variant attacks, underscoring pressure to patch immediately and remove public-facing management access.