Critical Path Traversal Flaw in Ubiquiti UniFi Network App Enables Account Takeover
What Happened — Ubiquiti disclosed two vulnerabilities in its UniFi Network Application (CVE‑2026‑22557 and an authenticated NoSQL‑injection). The high‑severity path‑traversal bug allows an unauthenticated attacker to read arbitrary files and craft a takeover of user accounts without any user interaction.
Why It Matters for TPRM —
- A compromised UniFi controller can give threat actors full visibility and control over an organization’s Wi‑Fi, switching, and gateway infrastructure.
- Account takeover can be leveraged to pivot into downstream services, exfiltrate data, or embed persistent footholds.
- The flaw affects on‑premise and cloud‑hosted deployments, expanding the attack surface across multiple vendor‑managed environments.
Who Is Affected — Enterprises that deploy Ubiquiti UniFi hardware (Wi‑Fi, switches, gateways) and rely on the UniFi Network Application, across sectors such as technology, education, healthcare, retail, and government.
Recommended Actions —
- Verify that all UniFi Network Application instances are running version 10.1.89 or later.
- Conduct an inventory of UniFi controllers and apply the vendor patch immediately.
- Review network segmentation to isolate UniFi management planes from critical business systems.
- Monitor logs for anomalous file‑access patterns or unexpected account creations.
Technical Notes — The CVE‑2026‑22557 path‑traversal vulnerability (CWE‑22) enables low‑complexity attacks that do not require phishing or credential theft. An additional NoSQL‑injection (CVE‑2026‑xxxx) permits privilege escalation for already‑authenticated users. Both flaws expose configuration files and credential stores, potentially leading to full account takeover. Source: BleepingComputer