Critical Ubiquiti UniFi security flaw allows potential account hijacking

securityaffairs.com · WaitWaitWha · 15 days ago · view on HN · vulnerability
0 net
Tags
account-takeover apple browser cve exploit facebook lfi malware privilege-escalation
Entities
CVE-2026-22557 CVE-2026-22558
Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking - Security Affairs Home Breaking News Security Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking Pierluigi Paganini March 19, 2026 Ubiquiti fixed two UniFi vulnerabilities, including a critical flaw that could let attackers take over user accounts. Ubiquiti patched two vulnerabilities in its UniFi Network app, including a maximum-severity flaw that could enable account takeover. The software is widely used to manage UniFi networking devices like access points, switches, and gateways. The Ubiquiti UniFi Network app is management software developed by Ubiquiti to control and monitor its UniFi networking devices. It lets users configure, manage, and optimize hardware like Wi-Fi access points, switches, and gateways from a single dashboard. IT admins use it to set up networks, track performance, manage users, apply security settings, and troubleshoot issues, either locally or via the cloud. The vendor addressed a maximum severity issue tracked as CVE-2026-22557 (CVSS score of 10.0), which affects UniFi Network application version 10.1.85 and earlier. An attacker on the network could exploit a path traversal flaw in UniFi to access system files and potentially take over user accounts. “A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.” reads the advisory . Versions 10.1.89 or later addressed the vulnerability. The second issue addressed by Ubiquiti, tracked as CVE-2026-22558 (CVSS score of 7.7), resides in the UniFi Network app, attackers with low privileges can exploit it for privilege escalation. “An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges,” states the company. Pierluigi Paganini Follow me on Twitter: @securityaffairs and Facebook and Mastodon ( SecurityAffairs – hacking, UniFi Network Application) facebook linkedin twitter Hacking hacking news information security news IT Information Security Pierluigi Paganini Security Affairs Security News Ubiquiti UniFi Network app you might also like Pierluigi Paganini March 20, 2026 Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge Read more Pierluigi Paganini March 20, 2026 Global law enforcement operation targets AISURU, Kimwolf, JackSkid botnet operators Read more leave a comment newsletter Subscribe to my email list and stay up-to-date! recent articles Apple urges iPhone users to update as Coruna and DarkSword exploit kits emerge Security / March 20, 2026 Global law enforcement operation targets AISURU, Kimwolf, JackSkid botnet operators Cyber Crime / March 20, 2026 French aircraft carrier Charles de Gaulle tracked via Strava activity in OPSEC failure Intelligence / March 20, 2026 Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking Security / March 19, 2026 U.S. CISA adds a flaw in Cisco FMC and Cisco SCC Firewall Management to its Known Exploited Vulnerabilities catalog Security / March 19, 2026 We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent. Cookie Settings Accept All Manage consent Close Privacy Overview This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience. Necessary Necessary Always Enabled Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information. Non-necessary Non-necessary Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. SAVE & ACCEPT
← Back to stories