.jpg "Ubiquiti UniFi Flaws Expose Network Controllers to Full System Compromise")
Ubiquiti has published a security advisory for two vulnerabilities in the UniFi Network Application, including CVE-2026-22557, a critical path traversal flaw, and CVE-2026-22558, a high-severity authenticated NoSQL injection issue. Ubiquiti says the path traversal bug could let a malicious actor with network access access files on the underlying operating system, while the NoSQL injection flaw could allow privilege escalation by an authenticated attacker. The advisory was published on March 19, 2026.
The most urgent issue is CVE-2026-22557, which has a CVSS v3.1 score of 10.0, the highest possible severity rating. Based on the advisory and the affected versions Ubiquiti listed, organizations exposing UniFi management services to untrusted networks face the greatest risk because compromise of the application layer could open a path to deeper host-level access. Ubiquiti also listed CVE-2026-22558 as a 7.7 high-severity vulnerability, making it a serious follow-on risk in cases where an attacker already has valid access.
Affected versions and fixes
| Product | Affected versions | Fixed version |
|---|---|---|
| UniFi Network Application (Official) | 10.1.85 and earlier | 10.1.89 or later |
| UniFi Network Application (Release Candidate) | 10.2.93 and earlier | 10.2.97 or later |
| UniFi Express (UX) | Network App 9.0.114 and earlier | Firmware 4.0.13 or later |
Ubiquiti’s advisory makes this a patch-now issue for administrators running self-hosted controllers, release candidate builds, or UniFi Express devices. Even where immediate patching is not possible, the management interface should be treated as highly sensitive infrastructure and isolated accordingly.
Prevention and hardening steps
| Control | Why it matters |
|---|---|
| Upgrade immediately to fixed versions | Removes the known vulnerable code paths |
| Restrict UniFi management access | Limit exposure to internal admin networks or VPN-only access |
| Block internet exposure | Reduces the chance of remote abuse of the critical flaw |
| Enforce strong admin authentication | Helps contain the impact of authenticated attacks |
| Review user roles and privileges | Reduces abuse opportunities tied to privilege escalation |
| Monitor logs for unusual config or account activity | Helps identify exploitation attempts or post-compromise actions |
| Segment the controller from core infrastructure | Prevents a controller compromise from spreading deeper |
| Back up configurations securely | Speeds recovery if systems must be rebuilt |
For defenders, the bigger lesson is that network controllers are high-value targets. A flaw in a management plane product can quickly become a foothold for wider compromise, especially in environments where the controller has broad administrative reach. Ubiquiti customers should patch first, then review exposure, access controls, and segmentation around every UniFi management instance.
No Comment! Be the first one.