Soft ComputersBook a free IT assessmentBook assessment

Ubiquiti Gear Is Being Actively Attacked Right Now: What Canadian SMBs Must Do

Cybersecurity5 min readBy the Soft Computers Team

If your office uses Ubiquiti networking gear, including UniFi access points, switches, or routers, stop what you are doing and read this. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Ubiquiti vulnerabilities to its Known Exploited Vulnerabilities catalogue, and both are rated maximum severity. According to BleepingComputer (June 24, 2026), these flaws are already being used in real attacks.

Ubiquiti is extremely common in Canadian small and mid-sized businesses. The hardware is affordable, the UniFi interface is clean, and it handles everything from guest Wi-Fi to VLANs to site-to-site networking. That popularity is exactly why attackers are paying attention.

What the Vulnerabilities Actually Are

The two flaws affect Ubiquiti's networking products and carry a CVSS score of 10.0, which is the highest possible rating. A CVSS 10.0 means an attacker can exploit the flaw remotely, without needing any credentials, and the impact covers full confidentiality, integrity, and availability loss. In plain language: an attacker on the internet can potentially take complete control of an affected device without ever knowing your password.

CISA's Known Exploited Vulnerabilities catalogue is not theoretical. CISA only adds flaws to that list when there is confirmed evidence of active exploitation in the wild. These are not research-lab findings. Someone is using them right now.

Why This Hits SMBs Hard

Enterprise-grade networking vendors like Cisco and Juniper tend to get patched fast because large IT departments have dedicated security teams watching for exactly these advisories. SMBs running Ubiquiti often have no one watching. The router in the server closet runs the same firmware it shipped with two years ago, and nobody has logged into the UniFi controller since the original installer set it up.

That is the gap attackers are counting on. When a maximum-severity, actively-exploited flaw drops for a product that is common in under-resourced networks, the window between disclosure and exploitation is measured in hours, not weeks.

Once an attacker owns your network hardware, the consequences go well beyond the device itself. They can intercept traffic moving across your network, redirect DNS queries to malicious sites, pivot to other internal systems, or plant persistent backdoors that survive a simple reboot. A compromised access point or switch is not just a broken network device. It is a beachhead inside your perimeter.

What to Do Right Now

Here is what we are telling our clients who run Ubiquiti equipment.

  • Log into your UniFi Network controller today and check your firmware versions. Every device in your network, access points, switches, security gateways, and dream machines, needs to be identified and compared against Ubiquiti's current release notes. Ubiquiti publishes firmware updates through the UniFi controller interface directly.
  • Apply all available firmware updates immediately. Do not schedule this for next week. CISA confirmed active exploitation on June 24, 2026. The longer you wait, the higher your exposure.
  • Check whether your UniFi controller or any Ubiquiti device management interface is exposed to the internet. If you can reach your controller from outside your office network without a VPN, that needs to change today. Management interfaces should never be publicly accessible.
  • Review which devices are on your network. If you have Ubiquiti hardware that is no longer receiving firmware updates because it has reached end-of-life, it needs to be replaced. Running unsupported hardware on a network carrying business data is not an acceptable risk.
  • Enable two-factor authentication on your Ubiquiti account and controller. If you are using a Ubiquiti Cloud account to manage your devices remotely, that account needs MFA turned on. This will not patch the underlying vulnerabilities, but it reduces one additional attack vector.

The Bigger Pattern Here

This is the third major networking-layer vulnerability making headlines in the past 60 days. FortiGate firewalls had the FortiBleed credential leak. Cisco Unified Communications Manager is now being actively exploited through CVE-2026-20230. Now Ubiquiti. Network hardware is the new front line, and it is not getting the same patching attention that endpoint software does.

Most businesses have a process for updating Windows and pushing antivirus definitions. Very few have a process for auditing firmware on their switches and access points. That gap is exactly what attackers are exploiting across all three of these incidents.

What We Recommend

If you are a Soft Computers managed IT client, we are already reviewing your network hardware inventory and will be in touch directly if you have affected Ubiquiti devices. If you manage your own network, or you are not sure what firmware version your Ubiquiti gear is running, call us. A firmware audit takes about an hour and it is a lot cheaper than recovering from a network compromise.

Network hardware that runs old firmware on a business network is not a minor oversight. Right now, with active exploitation confirmed by CISA, it is the most urgent thing on your IT list.

Want this level of attention on your IT?

We publish what we practice. Book a free assessment and see where your environment stands: what is solid, what is aging, and what is at risk.