Ubiquiti patched two vulnerabilities in the UniFi Network Application, including a maximum-severity path traversal flaw (CVE-2026-22557) that can enable account takeover. The flaws affect UniFi Network 10.1.85 and earlier and were fixed in 10.1.89 or later, amid a history of Ubiquiti devices being abused by state-backed actors and criminal botnets. #CVE-2026-22557 #Ubiquiti
Keypoints
- Ubiquiti released patches for two UniFi Network Application vulnerabilities, including a maximum-severity flaw.
- CVE-2026-22557 is a path traversal vulnerability that could allow attackers to access files and hijack user accounts without privileges or user interaction.
- A second flaw is an authenticated NoSQL injection that can be exploited for privilege escalation by low-privileged, authenticated users.
- The issues impact UniFi Network versions 10.1.85 and earlier and are resolved in version 10.1.89 and later.
- Ubiquiti products have previously been targeted by state-backed groups and cybercriminals, including a GRU-linked botnet dismantled by the FBI in February 2024.