Urgent Security Warning: Critical UniFi Vulnerabilities (CVE-2026-22557, CVE-2026-22558 & CVE-2026-22559)

Recently, Ubiquiti released Security Advisory Bulletin 062, an urgent disclosure. The bulletin revealed three severe vulnerabilities deep within the architecture of the UniFi Network Application, the central management console used to orchestrate access points, switches, and security gateways across multi-tenant environments.

The most critical of these flaws, officially tracked as CVE-2026-22557, achieved the maximum possible Common Vulnerability Scoring System (CVSS) rating of 10.0. This exploit requires no authentication, demands no user interaction, and presents an alarmingly low complexity of attack. The second flaw, CVE-2026-22558, is a high-severity (CVSS 7.7) authenticated NoSQL injection vulnerability that permits sweeping privilege escalation. Finally, a third high-severity flaw, CVE-2026-22559 (CVSS 8.8), introduces a dangerous social engineering vector.

Unlike a compromised user workstation, which provides a localised foothold, a compromised network controller offers an adversary complete visibility and control over an entire logical network segment. Threat actors can silently alter Virtual Local Area Network (VLAN) configurations, bridging isolated guest networks directly into sensitive corporate subnets, or recruit the underlying hardware into massive proxy botnets.

The discovery of a CVSS 10.0 vulnerability in the UniFi ecosystem is an open invitation for automated exploitation. Because the UniFi Network Application openly broadcasts its exact version number on the public-facing login portal, automated reconnaissance scanners can instantly distinguish between vulnerable and patched instances.

CVE-2026-22557: Unauthenticated Path Traversal

Discovered by security researcher n00r3 (@izn0u), this vulnerability achieved a CVSS base score of 10.0 the highest possible severity rating, reserved exclusively for vulnerabilities that represent total, unfettered system compromise with minimal attacker effort.

The Mechanics of Path Traversal (CWE-22)

CVE-2026-22557 is a 'Path Traversal' or 'Directory Traversal' vulnerability. It manifests when an application fails to properly sanitise a special file-system element, most notably the ../ (dot-dot-slash) sequence. By manipulating an input parameter, an attacker can traverse backwards up the directory tree to read arbitrary files located directly on the underlying operating system.

The Exploitation Pathway and Account Takeover (ATO)

According to the official Ubiquiti advisory, successfully exploiting this path traversal allows an attacker to "access files on the underlying system that could be manipulated to access an underlying account".

An unauthenticated threat actor probing a publicly exposed UniFi controller can craft a malicious HTTP request to read highly sensitive internal application files. These could allow the attacker to access files that contain MongoDB connection strings, internal API secrets, and cryptographic salts. They might also traverse into temporary directories to extract active, unexpired session tokens left behind by legitimate administrators.

Armed with these internal files, the attacker can forge a mathematically valid session cookie. By presenting this forged cookie, the unauthenticated attacker seamlessly transitions into a fully authenticated administrative account without a single brute-force password attempt.

CVE-2026-22558: Authenticated NoSQL Injection

Discovered by security researcher Garett Kopcha (@0x5t), the second vulnerability, CVE-2026-22558, is an Authenticated NoSQL Injection holding a severity rating of CVSS 7.7 (High).

The UniFi Network Application utilises MongoDB to store configurations and user identity data. This vulnerability manifests when the application incorporates user-supplied input directly into a backend MongoDB query without strict type-checking sanitisation.

If an attacker possesses low-level, authenticated access to the application (such as a restricted 'Read-Only' or 'Site Admin' account), they can modify JSON payloads to include powerful NoSQL operators like $ne (Not Equal) or $where. By manipulating this logic, the threat actor can force the backend database to execute commands that unilaterally elevate their limited account into a Global Administrator role.

CVE-2026-22559: Improper Input Validation

Discovered by security researcher Shubham Gupta (@hackerspider1), the third vulnerability, CVE-2026-22559, is an Improper Input Validation flaw holding a severity rating of CVSS 8.8 (High).

Unlike the first two flaws, this vulnerability critically relies on User Interaction. Improper input validation occurs when an application receives data from an attacker but fails to validate or neutralise malicious syntax before processing it.

This vulnerability allows unauthorised access to an account if the account owner is socially engineered into clicking a malicious link. If an attacker sends a targeted link to a UniFi network administrator, and the administrator clicks it while having an active, authenticated session open, the malicious payload executes. This allows the attacker to silently hijack the administrator's active session or manipulate the application into granting persistent backend access.

The Exploit Chain: Total Network Compromise

Vulnerabilities are rarely exploited in a vacuum. These UniFi vulnerabilities are highly likely to be chained together by sophisticated threat actors:

1. Reconnaissance: A botnet scanner identifies an exposed UniFi controller displaying a vulnerable version number on its login page.
2. Initial Access (CVE-2026-22557 or CVE-2026-22559): The scanner fires a path traversal payload to extract system.properties and active session tokens. Alternatively, an attacker spear-phishes an admin using the improper input validation flaw to hijack an active session.
3. Session Hijacking: The attacker authenticates using a stolen, low-level 'Site Admin' session.
4. Privilege Escalation (CVE-2026-22558): The attacker executes a NoSQL injection payload targeted at the user-management API, elevating their hijacked account to be the Main Admin/Global Administrator of the controller.
5. Total Compromise: The attacker now possesses unmitigated control to alter and change all the network settings such as VLANs, extract Wi-Fi pre-shared keys, or deploy malicious backdoor firmware to downstream switches and access points. Remediation Protocol: Identifying Affected Infrastructure

If you haven't already done so, you should apply the security updates immediately. There is no acceptable delay window for vulnerabilities of this magnitude. The following explicitly affected software versions must be patched immediately:

UniFi Network Application 10.1.85 and earlier (official channel)

UniFi Network Application Version 10.2.93 and earlier (RC channel)

UniFi Express Firmware Firmware prior to 4.0.13

Which versions are safe/patched?

UniFi Network Application 10.1.89 or later (official channel)

UniFi Network Application Version 10.2.97 or later (RC channel)

UniFi Express Firmware Firmware 4.0.13 or later

Our Immediate Response to Bulletin 062

When Security Advisory Bulletin 062 was published, our incident response was instantaneous. The moment we received the CVE advisory and Ubiquiti made the patched versions available, our engineering team immediately initiated our emergency protocol.

We worked entirely through the night to deploy the secure release across our infrastructure. By morning, while many self-hosters were just waking up to the news, every single controller hosted on our platform was already updated and fully secured .

How UniHosted manage controller updates

Here is exactly how we handle critical controller updates behind the scenes to keep our users secure:

• Release Candidates & Testing: New UniFi Controller versions ('Release Candidates') are frequently published by Ubiquiti. At UniHosted, we immediately download and rigorously test these candidates for stability across multiple dedicated test servers.
• Deployment: Once Ubiquiti confirms the version's stability and if our internal tests are satisfactory we deploy the version to our free-tier users first.
• Active Monitoring: We continuously monitor log data, memory usage, CPU loads, and the presence of any memory leaks. If issues arise or a version shows signs of instability, we delay pushing the update to our paid users to ensure their environments remain rock-solid.
• Proactive Communication: Before conducting any routine update on a paid tier, we alert our customers via email, generally a week in advance. During the update, there is typically only a short, five-minute window where the controller interface is inaccessible (note: the physical local network remains entirely operational during this controller reboot).
• Flexibility & Emergency Patching: If a customer does not wish for their controller to be updated at the specified time, they can negotiate a more convenient window. However, in the event of maximum-severity CVEs like those in Bulletin 062, we leverage our pipeline to apply critical security updates immediately, ensuring networks stay secure.

When does Managed UniFi hosting make more sense?

Managing UniFi at scale introduces operational risk: inconsistent versions, manual backups, expiring certificates, and hardware failures. Many MSPs move to hosted UniFi controllers to centralize infrastructure while retaining full network control.

Summary

The public disclosure of CVE-2026-22557 (Path Traversal), CVE-2026-22558 (NoSQL Injection), and CVE-2026-22559 (Improper Input Validation) presents a highly lethal attack chain of zero-click exploits and social engineering tactics. Because vulnerable controller versions are broadcast on the login screen, unauthenticated adversaries can easily target, traverse, and systematically compromise entire enterprise networks.

While the prescribed mitigation requires an immediate upgrade to version 10.1.89 or later, executing these emergency patches manually across multi-tenant environments introduces severe operational risks for System and Network administrators. Migrating to a dedicated, managed UniFi hosting platform like UniHosted neutralises these threats. By relying on our automated testing, deployment, and monitoring pipelines, System and Network admins can secure their clients environments against maximum-severity vulnerabilities instantly and silently.