When to update UniFi firmware, and when to wait

Ubiquiti ships UniFi software and firmware on three parallel channels, exposed through Site Manager and through the per-site Settings → Control Plane → Updates page. Each channel publishes the same version sequence at a different lag, and each has a different bug rate.³

Early Access is an opt-in: it has to be enabled at the account level on the Ubiquiti SSO account first, after which eligible site owners can flip Early Access on for Site Manager and select Early-Access channels for specific software and firmware components.⁴ On a production residence, Early Access should be off. Its purpose is exactly the opposite of what a production network needs.

The relevant fact for the rest of this article: every time Stable receives a new build, that build was on Release Candidate first, and was on Early Access before that. By the time a release reaches Stable, most of its serious regressions have been found and fixed — but not all of them. The U6+ 6.7.41 bricking incident discussed in the next section reached Stable. So did the CVE-2026-22557 path-traversal flaw shipped in 9.0.118 and earlier. The difference between a one-day-after-stable update and a three-week-after-stable update is the window in which the rest of the community discovers what slipped through.

U6+ access points bricked by firmware 6.7.41 — February 2026

On 4 February 2026, Ubiquiti released firmware 6.7.41 for U6+ access points on the Stable channel. Within weeks, reports began collecting on community.ui.com and in the wider press from operators whose U6+ units had been rendered inert by the automatic update: a solid white LED, no boot sequence, no DHCP request, no ping response, no SSH, and reset procedures that failed to trigger recovery mode.⁵

One commenter on the German-language coverage reported“more than 10 defective Ubiquity U6+ access points from customers,” all bricked after the same firmware push. The recovery path for many affected units required a USB-to-serial adapter and bootloader access — well outside the skill set of a typical home user, and reportedly difficult to RMA on units outside the two-year warranty window.⁵ A homeowner who had auto-update on was, for those weeks, one push away from the most-trafficked AP in the house becoming hardware that would not turn back on.

CVE-2026-22557 — path traversal, CVSS 10.0 — March 2026

The other direction of the same argument. On 18 March 2026, Ubiquiti published Security Advisory Bulletin 062 disclosing two vulnerabilities in the UniFi Network application. CVE-2026-22557 is a path-traversal flaw rated CVSS 10.0 — the maximum possible severity.“An unauthenticated attacker with network access to the UniFi management interface sends crafted requests that manipulate file path parameters” to achieve account takeover, including administrator access.⁶

The advisory affected UniFi Network Application versions 10.1.85 and earlier on the Official Release channel, 10.2.93 and earlier on Release Candidate, and UniFi Express firmware shipping Network 9.0.114 and earlier. Fixed versions: 10.1.89, 10.2.97, and UniFi Express firmware 4.0.13 (which ships Network 9.0.118).⁶ Independent reporting noted that “because this is a path-traversal vulnerability, the technical complexity for an attacker to develop an exploit is relatively low,” and that this was the third maximum-severity vulnerability in the UniFi Network application within twelve months.⁷

The two incidents pull in opposite directions and together define the cadence rule: 22557 says update fast, 6.7.41 says wait. Neither is the whole answer. The discipline is knowing which kind of release you are looking at before you apply it.

“Turn off auto-update” is half the instruction. The other half is “and replace it with a real cadence.” The most common audit finding on the firmware-update axis is not networks that auto-updated into a bug. It is networks where auto-update is on and works fine, alongside networks where someone turned auto-update off years ago and never replaced it with anything.

The Broadband Genie figure cited above — 84 percent of UK internet users surveyed had never updated their router's firmware — is the population-level version of this problem.² Inside that 84 percent are networks running firmware with disclosed and patched critical vulnerabilities; CVE-2026-22557 will be exploited on unpatched UniFi Network deployments for years after the patch ships, because the patch only protects networks that get the patch.

The cadence in the next section is therefore two-sided. It protects against the bad release that slipped through. It also protects against the worse problem of running known-vulnerable firmware because nobody opened the controller this quarter.

1. Read the release notes. Every UniFi Network application release and every device-firmware release has a notes page on community.ui.com under Releases. Scan for the words fixes, known issues, and security. If a release names a CVE with a high CVSS score, treat it as urgent and skip straight to step 3. Otherwise continue.
2. Wait one to three weeks.This is the bug-discovery window. Scroll the same release notes page after a week or two and read the community replies; subscribe to the relevant community.ui.com release thread. If a regression has surfaced — the way the U6+ 6.7.41 thread did — it will be visible in those replies long before it reaches your network. Wait longer if the release includes a major architectural change (new UniFi Network major version, new UniFi OS major version, a kernel bump).
3. Take a config backup before applying. In the UniFi Network application, navigate to Settings → Control Plane → Backups, click Download, and select either Settings Only for a quick rollback file or the full backup including data retention. The same screen exposes System Backups, which when enabled generates a cloud backup automatically each week and prior to each major update.⁸ Cloud Gateway owners can view all backups associated with their account at account.ui.com/backups.⁸
4. Apply during a low-stakes window. Not 7 PM on a weeknight when the household is on a video call. Not 9 AM on a Monday when the home-office calendar is full. A weekday morning when the house is empty, or a Sunday afternoon when someone is physically present to power-cycle a device if necessary, is the right window. If the network covers a small business, schedule it.
5. Watch for forty-eight hours.Most firmware regressions surface within the first two days — a phone that stops roaming cleanly, a doorbell that goes offline, a smart-home device that refuses to associate. If the network is still happy at the 48-hour mark, the update was good. If it isn't, the backup taken in step 3 is the one-click recovery path.

Five steps, one decision per release. The decision is cheap to make when you know what to look for; the cost of skipping it is the U6+ 6.7.41 case.

In the current UniFi Network application, the path is:

1. Open the site in Site Manager (or local management at the console's IP / hostname).
2. Navigate to Settings → Control Plane → Updates.
3. Click the UniFi Console row to expose its update settings, and the UniFi Network Application row separately. Each can be configured independently.¹
4. Set the release channel to Official (Stable) if it is not already. Early Access requires opt-in at the account level first; on a production residence, leave Early Access disabled at the account level entirely.⁴
5. Set the update mode to Manual, or to a scheduled window that gives you the wait-and-watch buffer. Many sites prefer scheduled (e.g. first Sunday of the month, 4 AM) so the cadence is enforced by the controller instead of by remembering to do it.

The same screen also exposes the notify-only mode for the few sites where you want the controller to alert you that an update exists without applying it. The Update Manager is the centralised hub for managing updates across multiple UniFi deployments under a single Ubiquiti SSO account, reachable on the web at unifi.ui.com and in the mobile app.¹

The backup is the difference between a bad update that costs an hour and a bad update that costs a weekend. There are two paths and both belong in the cadence.

Manual backup, on demand

Navigate to Settings → Control Plane → Backups. Click Download and choose:

• Settings Only — a small file (typically a few megabytes) containing the network configuration: SSIDs, VLANs, firewall rules, port profiles, traffic rules, AP settings. This is what you want for a pre-firmware rollback.
• Settings + Historical Data — adds traffic history, client device history, and Insight data. Larger file, slower to download, but useful when migrating to new hardware. Not required for a firmware rollback.

Save the file. Date it. Keep the last several in a dedicated folder (the cloud-sync folder of your choice, encrypted, is sensible — UniFi backups contain credential material).⁸

Automatic cloud backups

On the same Backups page, enable System Backups. Once enabled, the controller generates a cloud backup automatically each week and additionally prior to each major update.⁸ These backups live under the Cloud Gateway owner's Ubiquiti account and are accessible at account.ui.com/backups. Note that only the Cloud Gateway Owner role has permission to manage them; in households where the AV integrator owns the gateway, the homeowner cannot recover from a bad update independently. (We have written separately about why the network owner is the right Owner role — see the cross-link at the bottom.)

The wait-one-to-three-weeks rule has a clear exception: a named security advisory with a high CVSS score that affects internet-reachable surface area. CVE-2026-22557 is exactly that case. It is rated CVSS 10.0, is unauthenticated, and an attacker need only reach the UniFi management interface — which on many home networks is intentionally exposed for remote administration. Independent analysis described the exploit complexity as “relatively low” and named it as the third maximum-severity flaw in the UniFi Network application inside a year.⁷

For a release like that, the cadence is:

1. Read the advisory the day it drops.
2. Confirm your version is affected.
3. Take a config backup (the cadence does not change — the backup is still the cheap insurance).
4. Apply the patched release the same day.
5. Watch for forty-eight hours, same as a normal update.

For a release that is “UniFi Network 9.3.45, bug fixes and minor improvements,” the normal one-to-three-week cadence applies.

The signal that distinguishes the two is whether the release notes name a CVE, what the CVSS score is, and whether the affected surface is network-reachable. If all three answer “yes,” treat it as urgent. Otherwise, wait.

• Single-device sites are not the same as multi-AP sites.A home with one UniFi Express or one Cloud Gateway and no separate APs is closer to the “laptop” case than to the multi-AP case. Leaving auto-update on at that scale is more defensible. The cadence in this article is written for production networks with multiple devices.
• Hosted-controller services run their own cadence.Operators like HostiFi publicly stage rolling updates across thousands of customer controllers and report transparently when they do — they ran 3,354 UniFi Network servers from earlier builds to 9.0.114 over a multi-week window in early 2026 and reported that none of the 571,800-plus connected Ubiquiti devices rebooted during the rollout.⁹ If your controller is hosted, the host's cadence applies and the section on disabling auto-update doesn't.
• The wait window is not absolute. One to three weeks is a heuristic. For a release with a small surface area (one device line, a few bug fixes), one week is fine. For a major version bump (e.g. UniFi Network 9 → 10), three weeks is conservative and four is not unreasonable. The underlying rule is “long enough for the bug-discovery curve to flatten,” not a specific number of days.
• This article does not name every recent firmware bug.We named two that are well-documented and verifiable end-to-end. There are more — the community.ui.com Releases page collects them as they appear.³ The pattern, not the inventory, is the point.
• Auto-update is not always wrong. For a network you do not have time to manage at all, it is the lesser evil compared to never updating. The argument here is for the network the homeowner cares about — not for the abandoned router.
• Release-channel naming changes. Ubiquiti has shipped under various combinations of “Early Access,” “Release Candidate,” “Stable Candidate,” and “Official.” The three-channel description in this article matches the current Site-Manager UI, but the labels in older controllers and in older help-centre articles may differ.³

None of these caveats changes the headline cadence: on a production residential UniFi network, disable auto-update, replace it with a deliberate read-wait-backup-apply-watch loop, and break the pattern only for named security advisories with high CVSS scores.