~/home/news/critical-ubiquiti-unifi-flaws-cve-2026-03-22
newsSaturday, March 21, 20268 min read👁 63 views

Critical Ubiquiti UniFi Flaws (CVE-2026-22557 & CVE-2026-22558) Enable Full System Takeover

Two newly disclosed vulnerabilities in Ubiquiti's UniFi Network Application - an unauthenticated path traversal (CVSS 10.0) and an authenticated NoSQL injection (CVSS 7.7) - give attackers the ability to seize control of the underlying host and elevate privileges across enterprise networks.

UbiquitiUniFiVulnerabilityCybersecurity

Overview/Introduction

Ubiquiti Networks’ UniFi platform is the de-facto choice for many SMBs, schools, and even large enterprises that need a centrally managed Wi-Fi, routing, and security stack. On 21 March 2026 the company disclosed two critical-to-high severity flaws that together provide a complete kill-chain: an unauthenticated path-traversal (CVE-2026-22557) that can be leveraged to execute arbitrary code on the controller host, and an authenticated NoSQL injection (CVE-2026-22558) that lets a low-privilege user elevate to full admin within the UniFi application. Both bugs affect the UniFi Network Application (the Java-based controller) and, by extension, any underlying operating system on which the controller runs.

Technical Details

CVE-2026-22557 - Unauthenticated Path Traversal

CVSS v3.1 Base Score: 10.0 (Critical)
Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The flaw lives in the file-serving endpoint used by the UniFi Network Application to deliver static assets (CSS, JavaScript, firmware blobs, etc.). The endpoint fails to sanitize the filename parameter, allowing an attacker to inject ../ sequences and escape the intended /usr/lib/unifi/data/ directory. By traversing to /etc/passwd, /etc/shadow, or any executable script in /usr/lib/unifi, the attacker can either read privileged files or write a malicious payload (e.g., a reverse shell binary) into a location that the UniFi service later executes.

Exploitation steps (as demonstrated by researcher n00r3):

GET /manage/download?filename=../../../../../../etc/passwd HTTP/1.1
Host: controller.example.com

# Returns /etc/passwd contents

Once the attacker gains a foothold, they can spawn a root shell because the UniFi service runs as root on most Linux installations. The lack of authentication and user interaction makes this a “drive-by” remote code execution vector - any host with network access to the controller’s management port (default 8443) is at risk.

CVE-2026-22558 - Authenticated NoSQL Injection

CVSS v3.1 Base Score: 7.7 (High)
Vector: AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

The second flaw resides in the REST API endpoint that processes device configuration queries. UniFi stores its configuration data in a MongoDB-style NoSQL store. The endpoint accepts a JSON payload containing a filter object, but it concatenates the supplied string directly into a MongoDB query without proper escaping. An attacker who has valid (but low-privilege) credentials - for example, a read-only user created for a guest Wi-Fi portal - can inject a malicious query that manipulates the underlying ACL documents.

Sample injection (found by security researcher Garett Kopcha):

{ "filter": { "$where": "function() { return this.role == 'admin' || true; }" } }

This payload forces the query to return all user documents, including admin credentials, or allows the attacker to overwrite the role field of their own account to admin. Because the exploit operates across a changed scope (S:C), the privilege escalation affects the entire UniFi ecosystem, not just the originating user.

Impact Analysis

Both vulnerabilities target the same product line but differ in required access:

  • CVE-2026-22557 can be exploited by any network-adjacent adversary - a malicious insider, a compromised workstation on the same VLAN, or an Internet-facing controller (if the management port is exposed).
  • CVE-2026-22558 requires a valid user account, which is often easier to obtain via phishing, credential stuffing, or by abusing default guest credentials that many organizations leave unchanged.

Successful exploitation of CVE-2026-22557 alone grants full system compromise: the attacker can install rootkits, pivot to other hosts, exfiltrate logs, and effectively shut down the entire network infrastructure managed by UniFi. When combined with CVE-2026-22558, an attacker with a low-privilege account can first elevate to admin inside the UniFi console and then chain into the path-traversal to gain OS-level control.

Timeline of Events

  • 12 Feb 2026 - Researcher n00r3 discovers the path-traversal bug and responsibly discloses it to Ubiquiti.
  • 03 Mar 2026 - Garett Kopcha reports the NoSQL injection to Ubiquiti.
  • 15 Mar 2026 - Ubiquiti acknowledges receipt of both reports and begins internal triage.
  • 21 Mar 2026 - Public advisory released; patched versions 10.1.89 (official) and 10.2.97 (RC) announced.
  • 22 Mar 2026 - Multiple threat-intel feeds publish exploit-as-a-service (EaaS) kits targeting the path-traversal.

Mitigation/Recommendations

Ubiquiti’s official mitigation steps are straightforward but must be applied without delay:

  1. Upgrade the UniFi Network Application to 10.1.89 or later (official release) or 10.2.97 for release-candidate users.
  2. For UniFi Express (UX) installations, apply the corresponding patch (version 9.0.118 or later).
  3. Restrict network access to the management interface (port 8443) using firewall rules or VPN-only access.
  4. Disable or move the static-file download endpoint if it is not required for your deployment.
  5. Enforce strong, unique passwords for all UniFi accounts and disable default guest accounts.
  6. Enable multi-factor authentication (MFA) on the UniFi web UI wherever possible.
  7. Implement network segmentation: keep the UniFi controller on a dedicated management VLAN isolated from user-facing networks.
  8. Monitor logs for anomalous /manage/download requests containing “..” sequences or unusual NoSQL query patterns.

Organizations that cannot patch immediately should consider a temporary workaround for CVE-2026-22557: configure a reverse proxy (e.g., Nginx) that validates the filename parameter against a whitelist, effectively blocking path-traversal attempts.

Real-World Impact

Given the ubiquity of UniFi in education, hospitality, and small-to-medium enterprises, the attack surface is massive. A compromised controller can be used to:

  • Inject malicious DHCP options, rerouting client traffic to attacker-controlled servers.
  • Deploy rogue Wi-Fi SSIDs that capture credentials.
  • Plant backdoors on other network appliances (switches, firewalls) that are managed via UniFi.
  • Disrupt business continuity by taking the entire LAN offline.

Early reports from threat-intel firms indicate that at least three ransomware groups have already incorporated the path-traversal exploit into their payloads, targeting unmanaged UniFi controllers exposed to the Internet.

Expert Opinion

From a strategic standpoint, these vulnerabilities underscore a broader industry trend: network-management platforms are becoming high-value, low-hanging fruit for attackers. The combination of a remote, unauthenticated RCE (CVE-2026-22557) and a privilege-escalation vector (CVE-2026-22558) creates a “full-stack” compromise scenario that is rare for a single product line.

Enterprises that have treated the UniFi controller as a “set-and-forget” appliance need to reevaluate their security posture. Regular patch management, network segmentation, and zero-trust principles must be applied to management planes just as rigorously as to data planes.

Looking ahead, I expect vendors of similar SaaS-orchestrated networking solutions to accelerate their secure-by-design initiatives - stricter input validation, hardened API layers, and built-in anomaly detection. Until then, the onus remains on administrators to apply the patches, tighten access controls, and monitor for signs of exploitation.