Critical Ubiquiti UniFi Vulnerabilities Allow Attackers to Seize
Ubiquiti recently disclosed two critical-to-high severity vulnerabilities impacting its widely deployed UniFi Network Application. Among these is a maximum-severity flaw that allows unauthenticated...
Ubiquiti recently disclosed two critical-to-high severity vulnerabilities impacting its widely deployed UniFi Network Application. Among these is a maximum-severity flaw that allows unauthenticated attackers to seize full control of underlying systems. Organizations operating affected versions must patch immediately.
Table Of Content
CVE-2026-22557: Path Traversal Enables Full System Compromise
The more severe of the two flaws, tracked as CVE-2026-22557, is a Path Traversal vulnerability carrying a CVSS v3.1 Base Score of 10.0 (Critical) the highest possible rating.
The vulnerability’s vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) confirms that no authentication, user interaction, or special conditions are required to exploit it remotely.
A malicious actor with network access could weaponize this flaw to traverse directory boundaries within the UniFi Network Application and access sensitive files on the underlying operating system.
Those files could then be manipulated to gain unauthorized access to underlying system accounts, effectively handing an attacker complete administrative control over the host.
The vulnerability was discovered and reported by security researcher n00r3 (@izn0u).
CVE-2026-22558: NoSQL Injection Enables Privilege Escalation
The second flaw, CVE-2026-22558, is an authenticated NoSQL Injection vulnerability rated 7.7 (High) on the CVSS v3.1 scale. Although this vulnerability requires prior authentication (PR:L), it operates across a changed scope (S:C) and achieves high confidentiality impact, making it a potent escalation path for attackers who have already obtained low-level credentials.
By injecting malicious NoSQL queries through the application layer, an authenticated attacker could escalate privileges beyond their authorized access level, potentially compromising sensitive network configuration data and internal account structures. The flaw was discovered by Garett Kopcha (@0x5t).
| Product | Affected Version |
|---|---|
| UniFi Network App (Official) | 10.1.85 and earlier |
| UniFi Network App (Release Candidate) | 10.2.93 and earlier |
| UniFi Express (UX) | Network App 9.0.114 and earlier |
Mitigations
Ubiquiti has released patched versions addressing both vulnerabilities simultaneously. Administrators should apply updates without delay:
- Official Release: Upgrade to UniFi Network Application Version 10.1.89 or later
- Release Candidate: Upgrade to UniFi Network Application Version 10.2.97 or later
- UniFi Express (UX): Update firmware to Version 4.0.13 or later, which bundles Network Application Version 9.0.118 or later
Given the perfect CVSS score of CVE-2026-22557, network segmentation and strict firewall rules limiting exposure of the UniFi Network Application management interface should be implemented as an additional defensive layer.
Ubiquiti customers running any affected version in internet-accessible environments face particularly elevated risk and should treat this as an emergency patch.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.