CP
cyberpings
VulnerabilitiesCRITICAL

Ubiquiti UniFi Vulnerabilities - Critical Flaws Exposed

CSCyber Security News
CVE-2026-22557CVE-2026-22558UbiquitiUniFi Network ApplicationPath Traversal
🎯

Basically, Ubiquiti found serious security holes that let hackers take over systems.

Quick Summary

Ubiquiti has disclosed critical vulnerabilities in its UniFi Network Application. Attackers could gain full control of systems. Organizations must patch immediately to avoid severe risks.

The Flaw

Ubiquiti has revealed two significant vulnerabilities in its UniFi Network Application. The most critical, CVE-2026-22557, has a perfect CVSS score of 10.0, indicating its severity. This Path Traversal vulnerability allows unauthenticated attackers to access sensitive files on the underlying operating system. By exploiting this flaw, attackers can gain full administrative control of the host system without needing any special conditions or authentication.

The second vulnerability, CVE-2026-22558, is a NoSQL Injection flaw rated 7.7 on the CVSS scale. Unlike the first, this requires prior authentication, but it still poses a significant risk. Attackers with low-level credentials can escalate their privileges by injecting malicious queries, potentially compromising sensitive network configurations and internal account structures.

What's at Risk

Organizations using affected versions of the UniFi Network Application are at high risk. The vulnerabilities can lead to complete system compromise, allowing attackers to manipulate sensitive data and configurations. This could have severe implications for network security and data integrity, especially for businesses that rely on the UniFi platform for network management.

The affected versions include:

  • UniFi Network App (Official): 10.1.85 and earlier
  • UniFi Network App (Release Candidate): 10.2.93 and earlier
  • UniFi Express (UX) Network App: 9.0.114 and earlier

Patch Status

Ubiquiti has released patches to address both vulnerabilities. Administrators are urged to upgrade immediately to the following versions:

  • UniFi Network Application Version 10.1.89 or later for Official Release
  • UniFi Network Application Version 10.2.97 or later for Release Candidate
  • UniFi Express (UX): Update to firmware Version 4.0.13 or later, which includes Network Application Version 9.0.118 or later.

Given the critical nature of CVE-2026-22557, implementing additional security measures such as network segmentation and strict firewall rules is highly recommended. This will help limit exposure to the UniFi Network Application management interface.

Immediate Actions

Organizations using any affected version in internet-accessible environments should treat this as an emergency. Immediate action is necessary to mitigate the risk of exploitation. Here are steps to take:

  • Upgrade to the patched versions as soon as possible.
  • Review firewall settings to restrict access to the UniFi management interface.
  • Monitor network activity for any signs of unauthorized access or exploitation attempts.

By acting swiftly, organizations can protect themselves from potential attacks and secure their network environments against these critical vulnerabilities.

🔒 Pro insight: The critical CVSS score of CVE-2026-22557 indicates an urgent need for immediate patching across all affected deployments.

Original article from

Cyber Security News · Guru Baran

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Privilege Escalation - 7 Ways to Prevent via Password Resets

Password resets are often a security weak spot. Attackers can exploit these processes for privilege escalation. Discover seven strategies to secure your password resets and protect sensitive accounts.

BleepingComputer·
HIGHVulnerabilities

Zimbra Vulnerability - Russian APT Targets Ukraine Users

A high-severity vulnerability in Zimbra is being exploited by a Russian APT against Ukraine. This puts sensitive user data at risk. Immediate patching is essential to prevent attacks.

SecurityWeek·
HIGHVulnerabilities

Azure Vulnerabilities - New Sign-In Log Bypass Discovered

Two new Azure sign-in log bypasses have been discovered, allowing attackers to access tokens without detection. This poses a serious risk to organizations relying on Azure for authentication. Stay informed and take action to protect your data.

TrustedSec Blog·
HIGHVulnerabilities

Claude Vulnerabilities - Data Exfiltration and User Redirection

Three vulnerabilities in Claude.ai have been discovered, allowing data exfiltration and user redirection to malicious sites. This poses serious risks to user privacy and data security. Organizations must take immediate action to protect sensitive information and educate users about these threats.

Cyber Security News·
HIGHVulnerabilities

iOS Vulnerabilities - DarkSword Exploit Targets Unpatched iPhones

A new exploit called DarkSword targets unpatched iPhones, allowing attackers to steal sensitive data. Users in several countries are at risk. Immediate updates are crucial to protect against this threat.

Malwarebytes Labs·
HIGHVulnerabilities

Ubiquiti UniFi Vulnerability - Account Takeover Risk Alert

Ubiquiti has patched a critical vulnerability in the UniFi Network Application that could allow account takeovers. Users of versions 10.1.85 and earlier are at risk. Immediate updates are necessary to secure your network from exploitation.

BleepingComputer·