CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical Path Traversal in Ubiquiti UniFi Network Application Enables Account Takeover

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A critical severity vulnerability, CVE-2026-22557, in Ubiquiti’s UniFi Network Application (versions 10.1.85 and earlier) allows remote attackers on the local network to execute path traversal attacks and gain unauthorized access to system files, enabling account takeover without privileges or user interaction. This vulnerability impacts UniFi Network Application deployments, including those managed via UniFi Cloud Gateway, switches, access points, and gateways. Ubiquiti patched the issue in versions 10.1.89 and later, alongside addressing a second authenticated NoSQL injection flaw enabling privilege escalation. Ubiquiti has since patched three additional maximum-severity vulnerabilities in UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), enabling unauthorized system changes, file access, and command injection after network access is obtained. Two supplementary flaws (CVE-2026-33000 and CVE-2026-34911) were also addressed. Threat intelligence firm Censys estimates nearly 100,000 Internet-exposed UniFi OS endpoints globally, with approximately 50,000 located in the United States. Ubiquiti has not disclosed evidence of in-the-wild exploitation for any of these vulnerabilities, which were reported via its HackerOne bug bounty program and are exploitable in low-complexity attacks. Historical targeting of Ubiquiti products by state-backed actors and cybercriminals has involved botnet construction and traffic concealment in past campaigns.

Timeline

  1. 19.03.2026 15:00 1 articles · 2mo ago

    Ubiquiti patches critical path traversal flaw (CVE-2026-22557) in UniFi Network Application

    Ubiquiti disclosed and patched a maximum-severity path traversal vulnerability, CVE-2026-22557, in the UniFi Network Application (versions 10.1.85 and earlier). The flaw allows attackers on the local network to access system files and hijack user accounts without privileges or user interaction. Patches are available in versions 10.1.89 and later. A second authenticated NoSQL injection flaw enabling privilege escalation was also addressed.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Active exploitation of PAN-OS RCE zero-day CVE-2026-0300 via User-ID Authentication Portal

State-sponsored threat actors tracked as CL-STA-1132 exploited the critical PAN-OS firewall zero-day CVE-2026-0300 since at least April 9, 2026, achieving initial unauthenticated remote code execution by April 16–17, 2026. The vulnerability, a buffer overflow in the User-ID Authentication Portal service, enabled root-level arbitrary code execution on exposed PA-Series and VM-Series firewalls. Attackers injected shellcode into nginx worker processes and immediately began erasing forensic artifacts, including crash kernel messages and nginx records, to evade detection. Post-compromise activity included Active Directory enumeration and deployment of EarthWorm and ReverseSocks5 tunneling tools on April 29, 2026, targeting additional network devices. The adversary’s use of open-source tools and disciplined, intermittent operational sessions over weeks minimized signature-based detection while maintaining stealth. Over 5,400 PAN-OS VM-Series firewalls remain exposed on the internet, predominantly in Asia and North America. CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog on May 7, 2026, mandating federal remediation by May 9, 2026. Palo Alto Networks released initial patches for CVE-2026-0300 on May 14, 2026.

Open in new tab

Critical Authentication Bypass in Progress MOVEit Automation RCE Vectors Exposed

A critical authentication bypass vulnerability (CVE-2026-4670) and a high-severity privilege escalation flaw (CVE-2026-5174) in Progress MOVEit Automation have been disclosed and patched. The authentication bypass (CVSS 9.8) allows remote, unauthenticated attackers to bypass authentication and execute arbitrary actions without privileges or user interaction, while the privilege escalation flaw (CVSS 7.7) enables unauthorized administrative control and data exposure. The vulnerabilities affect versions prior to 2025.1.5, 2025.0.9, and 2024.1.8, with fixes requiring full installer upgrades that cause system outages. Airbus SecLab researchers are credited with discovering and reporting both flaws, which can be exploited via service backend command port interfaces. No workarounds exist, and immediate patching is recommended to prevent potential exploitation resembling prior MOVEit Transfer intrusions. MOVEit Automation is an enterprise-grade managed file transfer (MFT) orchestrator used by over 3,000 organizations and 100,000 users globally to automate complex data workflows across local servers, cloud storage, and external partners. Progress Software has issued advisories emphasizing the severity of the flaws, noting that exploitation could lead to full system compromise, data exfiltration, or lateral movement within affected environments. Over 1,400 exposed instances have been identified, including systems linked to U.S. government agencies.

Open in new tab