Ubiquiti UniFi Flaw Scores CVSS 10—Patch Before Full Takeover

A maximum-severity vulnerability in Ubiquiti's UniFi Network Application allows unauthenticated attackers to traverse directory paths, access system files, and ultimately hijack administrator accounts. CVE-2026-22557 carries a perfect CVSS score of 10.0, and with proof-of-concept details now circulating, exploitation is imminent if you haven't patched.

What Makes This Critical

The vulnerability is a classic path traversal flaw—but the impact is anything but routine. An attacker with network access to the UniFi controller can escape intended directory boundaries, read arbitrary files on the underlying operating system, and manipulate those files to gain access to system accounts.

Because UniFi Network Application manages access points, switches, gateways, and other network infrastructure, compromising the controller means compromising the entire network environment it manages. There's no authentication barrier. No user interaction required. Just network access to the management interface.

Censys research identified thousands of exposed UniFi controllers on the public internet—a reminder that management interfaces continue to be left accessible despite years of warnings. If your controller is reachable, assume someone is already scanning for this vulnerability.

Affected Versions

The flaw impacts:

• UniFi Network Application versions 10.1.85 and earlier (official release track)
• Release candidate track versions 10.2.93 and earlier
• UniFi Express firmware prior to version 4.0.13

Ubiquiti published Security Advisory Bulletin 062 on March 18, 2026, alongside patches. The fixed versions are 10.1.89 (official) and 10.2.97 (release candidate).

A Second Vulnerability Compounds Risk

Alongside CVE-2026-22557, Ubiquiti also patched CVE-2026-22558, a CVSS 7.7 NoSQL injection vulnerability. This one requires authentication—but only low-level access. Once authenticated, an attacker can escalate privileges through the injection flaw.

The combination is concerning. If an attacker chains a stolen session (perhaps from a prior breach like the Crunchyroll incident where contractor malware compromised credentials) with CVE-2026-22558, they can achieve full administrative control even without exploiting the path traversal directly.

Why Network Appliance Vulns Keep Hitting Hard

This disclosure follows a pattern we've seen repeatedly: network management interfaces with critical vulnerabilities that grant attackers disproportionate access. The TP-Link Archer auth bypass we covered yesterday showed similar issues—auth bypasses that let attackers flash malicious firmware.

These appliances manage network infrastructure that everything else depends on. A compromised switch controller can enable VLAN hopping, traffic interception, or lateral movement that bypasses endpoint security entirely. It's why CISA's BOD 26-02 pushed federal agencies toward replacing end-of-life edge devices rather than just patching them.

Immediate Actions

1. Patch now — Upgrade to UniFi Network Application 10.1.89+ or 10.2.97+ immediately
2. Restrict access — If you haven't already, ensure the management interface is only accessible from a dedicated management VLAN
3. Check exposure — Use Censys or Shodan to verify your controllers aren't publicly exposed
4. Audit accounts — Review admin accounts for any unexpected additions or permission changes
5. Enable MFA — If you haven't enabled multi-factor authentication on your UniFi accounts, do it now

For organizations running UniFi at scale, this is a drop-everything-and-patch situation. The CVSS 10.0 score isn't hyperbole—unauthenticated path traversal to account takeover is about as severe as vulnerabilities get.

The Bigger Picture

Ubiquiti has had a complicated security history. The 2021 breach that exposed customer credentials, the 2024 incident where attackers accessed internal systems—these events created trust deficits that make vulnerabilities like CVE-2026-22557 hit harder. When your vendor has a track record, you can't assume good-faith timelines on patch deployment.

The broader lesson remains consistent: management interfaces are high-value targets. Attackers know that a single compromised controller can yield access to dozens or hundreds of downstream devices. Defense-in-depth means treating your network management plane with the same paranoia you'd apply to domain controllers or cloud IAM. Segment it, restrict it, monitor it, and patch it first.

If you manage any UniFi infrastructure, stop reading and go verify your version numbers. This one won't age well.