Critical Ubiquiti UniFi Vulnerabilities Allow Attackers to Seize Full Control of Underlying Systems

Ubiquiti has disclosed two critical-to-high severity vulnerabilities in its widely deployed UniFi Network Application, including a maximum-severity flaw that could allow unauthenticated attackers to seize full control of underlying systems. Organizations running affected versions are urged to patch immediately.

CVE-2026-22557: Path Traversal Enables Full System Compromise

The more severe of the two flaws, tracked as CVE-2026-22557, is a Path Traversal vulnerability carrying a CVSS v3.1 Base Score of 10.0 (Critical) the highest possible rating.

The vulnerability’s vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) confirms that no authentication, user interaction, or special conditions are required to exploit it remotely.

A malicious actor with network access could weaponize this flaw to traverse directory boundaries within the UniFi Network Application and access sensitive files on the underlying operating system.

Those files could then be manipulated to gain unauthorized access to underlying system accounts, effectively handing an attacker complete administrative control over the host.

The vulnerability was discovered and reported by security researcher n00r3 (@izn0u).

CVE-2026-22558: NoSQL Injection Enables Privilege Escalation

The second flaw, CVE-2026-22558, is an authenticated NoSQL Injection vulnerability rated 7.7 (High) on the CVSS v3.1 scale. Although this vulnerability requires prior authentication (PR:L), it operates across a changed scope (S:C) and achieves high confidentiality impact, making it a potent escalation path for attackers who have already obtained low-level credentials.

By injecting malicious NoSQL queries through the application layer, an authenticated attacker could escalate privileges beyond their authorized access level, potentially compromising sensitive network configuration data and internal account structures. The flaw was discovered by Garett Kopcha (@0x5t).

Product	Affected Version
UniFi Network App (Official)	10.1.85 and earlier
UniFi Network App (Release Candidate)	10.2.93 and earlier
UniFi Express (UX)	Network App 9.0.114 and earlier

Mitigations

Ubiquiti has released patched versions addressing both vulnerabilities simultaneously. Administrators should apply updates without delay:

• Official Release: Upgrade to UniFi Network Application Version 10.1.89 or later
• Release Candidate: Upgrade to UniFi Network Application Version 10.2.97 or later
• UniFi Express (UX): Update firmware to Version 4.0.13 or later, which bundles Network Application Version 9.0.118 or later

Given the perfect CVSS score of CVE-2026-22557, network segmentation and strict firewall rules limiting exposure of the UniFi Network Application management interface should be implemented as an additional defensive layer.

Ubiquiti customers running any affected version in internet-accessible environments face particularly elevated risk and should treat this as an emergency patch.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Ubiquiti UniFi Vulnerabilities Allow Attackers to Seize Full Control of Underlying Systems appeared first on Cyber Security News.