Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS
Key Points:
- Ubiquiti has released security updates to fix multiple critical vulnerabilities in UniFi Connect, UniFi Talk, UniFi Access, UniFi Protect, and UniFi OS that could allow privilege escalation and arbitrary command execution.
- The vulnerabilities, with CVSS scores up to 10.0, include command injection, SQL injection, improper input validation, and Server-Side Request Forgery (SSRF), affecting various versions of UniFi applications and OS.
- Although no evidence shows these flaws have been exploited in the wild, related UniFi OS vulnerabilities were recently weaponized in attacks flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
- Russian state-sponsored hackers have been observed using compromised Ubiquiti Edge OS routers to build a botnet called MooBot for proxying malicious traffic, which was dismantled by law enforcement in February 2024.
- Users of affected Ubiquiti products are strongly advised to update to the fixed versions immediately to mitigate potential risks.