Max Severity Ubiquiti UniFi Flaw May Allow Account Takeover
Summary:
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
The most severe flaw, tracked as CVE-2026-22557, is a Path Traversal vulnerability assigned a CVSS score of 10.0. A malicious actor with access to the network could exploit it to step outside of restricted directories and access sensitive files on the underlying system. This flaw affects UniFi Network Application version 10.1.85 and earlier.
A second vulnerability, CVE-2026-22558, involves an authenticated NoSQL Injection weakness that could allow a malicious actor with authenticated network access to escalate their privileges within the application.
Security Officer Comments:
The Path Traversal vulnerability impacts a wide range of popular networking hardware managed through the UniFi Network Application, including the UniFi Express and standard application releases. Successful exploitation of CVE-2026-22557 could allow an unauthenticated attacker to read sensitive system files, potentially exposing credentials, configuration data, or other material that could facilitate full account or system compromise. The privilege escalation flaw in CVE-2026-22558, while requiring an authenticated foothold, creates a chained exploitation path, an attacker gaining low-privileged access could escalate to higher levels of control.
The broader risk is elevated by historical threat actor interest in Ubiquiti infrastructure; in February 2024, the FBI dismantled a botnet of hacked Ubiquiti Edge OS routers used by Russia's GRU to proxy malicious traffic in attacks targeting the United States and its allies. Organizations using UniFi deployments in critical or enterprise environments should treat this as high-priority exposure.
Suggested Corrections:
Both vulnerabilities are addressed in UniFi Network Application version 10.1.89 or later.
https://community.ui.com/releases/S...-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
The most severe flaw, tracked as CVE-2026-22557, is a Path Traversal vulnerability assigned a CVSS score of 10.0. A malicious actor with access to the network could exploit it to step outside of restricted directories and access sensitive files on the underlying system. This flaw affects UniFi Network Application version 10.1.85 and earlier.
A second vulnerability, CVE-2026-22558, involves an authenticated NoSQL Injection weakness that could allow a malicious actor with authenticated network access to escalate their privileges within the application.
Security Officer Comments:
The Path Traversal vulnerability impacts a wide range of popular networking hardware managed through the UniFi Network Application, including the UniFi Express and standard application releases. Successful exploitation of CVE-2026-22557 could allow an unauthenticated attacker to read sensitive system files, potentially exposing credentials, configuration data, or other material that could facilitate full account or system compromise. The privilege escalation flaw in CVE-2026-22558, while requiring an authenticated foothold, creates a chained exploitation path, an attacker gaining low-privileged access could escalate to higher levels of control.
The broader risk is elevated by historical threat actor interest in Ubiquiti infrastructure; in February 2024, the FBI dismantled a botnet of hacked Ubiquiti Edge OS routers used by Russia's GRU to proxy malicious traffic in attacks targeting the United States and its allies. Organizations using UniFi deployments in critical or enterprise environments should treat this as high-priority exposure.
Suggested Corrections:
Both vulnerabilities are addressed in UniFi Network Application version 10.1.89 or later.
- Administrators should prioritize upgrading affected deployments immediately, particularly any internet-facing or cloud-hosted UniFi controllers.
- Where immediate patching is not feasible, network access to the UniFi management interface should be restricted to trusted management VLANs or hosts only, limiting the attacker's ability to reach the vulnerable Path Traversal endpoint.
- Organizations should also audit for any unauthorized access or anomalous file system activity on systems running affected versions, and review user account privilege levels as a precaution against exploitation of the NoSQL Injection flaw.
- Ubiquiti's recommended deployment model, hosting the UniFi Network Application on a UniFi Cloud Gateway rather than a general-purpose server, should be enforced where possible, as it provides a more controlled and consistently updated environment.
https://community.ui.com/releases/S...-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b