From Ubiquiti's blog, for more info click here:
There have been several reports of infected airOS M devices over the last week. From the samples we have seen, there are 2 different payloads that uses the same exploit. We have confirmed these variations are using a known exploit that was reported and fixed last year.
This is an HTTP/HTTPS exploit that doesn't require authentication. Simply having a radio on outdated firmware and having it's http/https interface exposed to the Internet is enough to get infected. We are also recommending restricting all access to management interfaces via firewall filtering.
Devices running the following firmware are OK, but we recommend updating to 5.6.5 unless using legitimate rc. scripts. Users using legitimate rc.scripts should run 5.6.4 for the time being.
airMAX M (Including airRouter)
George Timmermans, Research Toolmaker, Software Engineer and Tinkerer