Ubiquiti UniFi Flaws Risk Total System Compromise

Ubiquiti UniFi Flaws Risk Total System Compromise

Posted on By CWS

Ubiquiti has recently unveiled two significant vulnerabilities in its UniFi Network Application that pose serious security risks. These flaws, including one rated with the highest severity, could allow attackers to gain complete control over the systems. Immediate action is advised for organizations using affected versions to install the latest patches.

Path Traversal Vulnerability: A Critical Threat

The most severe vulnerability, identified as CVE-2026-22557, is a Path Traversal flaw. With a CVSS v3.1 Base Score of 10.0, it represents the utmost risk level. This vulnerability can be exploited without any authentication or user interaction, enabling attackers to remotely navigate directory boundaries and access sensitive files.

By exploiting this flaw, cybercriminals can manipulate these files to grant themselves unauthorized access to system accounts, effectively gaining administrative control over the affected host. This vulnerability was discovered by security researcher n00r3 (@izn0u).

NoSQL Injection: An Escalation Gateway

The second vulnerability, CVE-2026-22558, involves a NoSQL Injection issue with a CVSS score of 7.7, categorized as high severity. Although it requires prior authentication, it operates on a changed scope and can significantly impact confidentiality. This flaw allows attackers with initial access to escalate their privileges, potentially compromising sensitive data and internal configurations.

The NoSQL Injection vulnerability was reported by Garett Kopcha (@0x5t) and poses a serious threat to network integrity.

Mitigation Strategies and Recommendations

In response to these vulnerabilities, Ubiquiti has released updates to mitigate the risks. Users are urged to upgrade to the latest versions as soon as possible:

  • For the Official Release: Update to UniFi Network Application Version 10.1.89 or later.
  • For Release Candidate: Upgrade to Version 10.2.97 or later.
  • For UniFi Express (UX): Update to firmware Version 4.0.13 or later, which includes Network Application Version 9.0.118 or later.

Considering the critical nature of CVE-2026-22557, additional measures such as network segmentation and stringent firewall rules are recommended to protect the UniFi Network Application management interface.

Organizations using vulnerable versions in internet-accessible environments are at heightened risk and should prioritize these patches immediately.

Stay informed about the latest cybersecurity threats by following us on Google News, LinkedIn, and X. Reach out to us for featuring your cybersecurity stories.

Cyber Security News Tags:, , , , , , , , , ,

Related Posts

Matryoshka Malware Targets macOS with New Stealer Variant Matryoshka Malware Targets macOS with New Stealer Variant Cyber Security News
New Critical n8n Vulnerability Allow Attackers to Execute Arbitrary Commands New Critical n8n Vulnerability Allow Attackers to Execute Arbitrary Commands Cyber Security News
Malware Campaign Utilizes Fake GitHub Repositories Malware Campaign Utilizes Fake GitHub Repositories Cyber Security News
Popular Chrome Extension with Over 6 Million Installs Captures User Inputs to AI Chatbots Popular Chrome Extension with Over 6 Million Installs Captures User Inputs to AI Chatbots Cyber Security News
Nevada IT Systems Hit by Cyberattack Nevada IT Systems Hit by Cyberattack Cyber Security News
Autonomous Bot Exploits GitHub Actions in Major Cyber Attack Autonomous Bot Exploits GitHub Actions in Major Cyber Attack Cyber Security News