Full Report
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts. [...]
Analysis Summary
# Vulnerability: Path Traversal and NoSQL Injection in UniFi Network Application
## CVE Details
- **CVE ID:** CVE-2026-22557 (Path Traversal); Second vulnerability (NoSQL Injection) lacks a specific CVE ID in the source text.
- **CVSS Score:** 10.0 (Critical) for CVE-2026-22557
- **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory); NoSQL Injection (CWE-943)
## Affected Systems
- **Products:** Ubiquiti UniFi Network Application (UniFi Controller)
- **Versions:** 10.1.85 and earlier
- **Configurations:** Self-hosted environments (servers/laptops) and UniFi Cloud Gateways running the affected software versions.
## Vulnerability Description
**CVE-2026-22557:** A Path Traversal vulnerability that allowing unprivileged attackers with network access to bypass directory restrictions. By manipulating file paths, an attacker can access sensitive files on the underlying operating system. These files can be leveraged to hijack user accounts.
**NoSQL Injection:** An authenticated vulnerability where a low-privileged user can inject malicious NoSQL queries. This allows the attacker to bypass application logic or manipulate the database to escalate their privileges within the application.
## Exploitation
- **Status:** No specific mention of active exploitation in the wild or public PoC for these specific flaws, though Ubiquiti devices are frequent targets for state-sponsored botnets (e.g., GRU/Moobot).
- **Complexity:** Low (CVE-2026-22557)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Access to sensitive system files and account credentials)
- **Integrity:** High (Potential for account takeover and privilege escalation)
- **Availability:** High (Potential for full system compromise/takeover)
## Remediation
### Patches
- **UniFi Network Application version 10.1.89 or later** addresses both vulnerabilities.
### Workarounds
- No official workarounds are provided. Users are strongly encouraged to update to the patched version immediately due to the maximum severity rating.
- Ensure the management interface is not exposed to the public internet.
## Detection
- **Indicators of Compromise:** Look for unusual traversal patterns in web server logs (e.g., `../`, `..%2f`, or absolute file paths).
- **Detection methods and tools:**
- Review UniFi Application logs for unauthorized account access or privilege changes.
- Monitor for unexpected file access events on the host OS where the controller is installed.
## References
- Ubiquiti Security Advisory Bulletin 062: hxxps[://]community[.]ui[.]com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
- CVE-2026-22557 Record: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2026-22557
- Ubiquiti General Support: hxxp[://]help[.]ui[.]com/hc/en-us/articles/360012192813-Introduction-to-UniFi