Other information and services of the government: www.belgium.be Centre for Cybersecurity Belgium
search

Warning: CVE‑2026‑22557 & CVE‑2026‑22558 in UniFi Network App could lead to full system compromise, Patch Immediately!

Image
Decorative image
Published : 20/03/2026
  • Last update: 19/03/2026
  • Affected software:
    → Official Release: UniFi Network application (Version 10.1.85 and earlier)
    → Release Candidate: UniFi Network application (Version 10.2.93 and earlier)
    → UniFi Express (UX): UniFi Network application (Version 9.0.114 and earlier)
  • Type:
    → CWE-35: Path Traversal
    → CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • CVE/CVSS
    → CVE-2026-22557: CVSS 10 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
    → CVE 2026 22558: CVSS 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)

Sources

Ubiquiti - https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b

Risks

The UniFi Network Application is the central platform for managing network devices, including Wi‑Fi access points, switches, and security policies across enterprise and SMB environments.

Two severe vulnerabilities have been identified:

  1. Path Traversal (CVE‑2026‑22557) – allows network attackers to access and manipulate files on the underlying system, potentially leading to unauthorized account access.
  2. Authenticated NoSQL Injection (CVE‑2026‑22558) – allows a malicious actor with authenticated access to escalate privileges within the UniFi Network Application.

These vulnerabilities can be chained: an attacker exploiting the Path Traversal could gain system access and then leverage the NoSQL Injection to escalate privileges, amplifying impact across the network.

Exploitation would have a high impact on confidentiality, integrity, and availability. Since the UniFi Network Application centrally manages network traffic, device configurations, and user access, attackers could manipulate network settings, extract credentials, or escalate privileges across managed infrastructure.

As of publication, there is no evidence of exploitation in the wild.

Description

These vulnerabilities allow attackers to:

  • Exploit Path Traversal or Authenticated NoSQL Injection via the web interface or API.
  • Access files, configuration data, or escalate privileges due to insufficient input validation.
  • Modify settings, escalate privileges, or fully compromise the application.
  • Alter network policies, extract credentials, disrupt services, or pivot across managed devices.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

CVE.org - https://www.cve.org/CVERecord?id=CVE-2026-22557
CVE.org - https://www.cve.org/CVERecord?id=CVE-2026-22558