INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
Ubiquiti UniFi Security Flaw Allows Account Hijacking
| 2026-03-20 16:22 CRITICAL LOWExecutive Summary AI-generated
The Ubiquiti UniFi Network Application has been compromised, with roughly 88,000 hosts exposed to the internet as of Friday morning. The vulnerability is a path-traversal attack - CVE-2026-22557 - that affects software used to manage UniFi networking devices, including access points, gateways and switches. Researchers have identified two vulnerabilities in Ubiquiti's UniFi Network Application: one addressed by CVE-2026-22558 with CVSS score 10.0, which also affects version 10.1.85 and earlier, and another vulnerability tracked as CVE-2026-22557 with CVSS score 10.0 that affects versions 10.1.89 or later. The vulnerabilities pose a significant risk to UniFi Network Application users, who could be exploited by attackers to take over user accounts or access sensitive files on the underlying system.
Technical Mitigations AI-generated
* Update to latest software versions: Ubiquiti advises UniFi Network Application users to update to the latest software versions, which also addressed a second vulnerability — CVE-2026-22558 — that attackers could exploit to escalate privileges.
* Use secure protocols and authentication: Ensure all communication between devices is encrypted using HTTPS or other secure protocols. Also, implement strong authentication mechanisms, such as multi-factor authentication (MFA), to prevent unauthorized access to user accounts.
* Regularly scan for vulnerabilities: Use a vulnerability scanner to regularly scan UniFi Network Application hosts publicly exposed to the internet for any known vulnerabilities and update them promptly if necessary.
* Implement network segmentation: Segment your network into separate zones or subnets, using firewalls and other security controls, to isolate sensitive data and applications from less critical ones. This can help prevent lateral movement in case of a breach.
* Monitor system logs and event notifications: Regularly monitor system logs and event notifications for any suspicious activity that may indicate an unauthorized access attempt on the UniFi Network Application or its underlying systems.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-22558CVE-2026-22558
CVE-2026-22557CVE-2026-22557
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
Incident Timeline
February 2024
Threat actors used hacked Ubiquiti Edge OS routers to proxy malicious traffic in attacks targeting the United States and its allies.
Click on any entity below to view its context and source!
source_region
Russian Federation
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
target_region
United States
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
tactic
Botnet
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
attribution
FBI
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
attribution
Ubiquiti Edge OS
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
attribution
Main Intelligence Directorate
For instance, in February 2024, the
FBI dismantled a botnet
of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU)
to proxy malicious traffic
in attacks targeting the United States and its allies.
2026-03-20
Ubiquiti patched two vulnerabilities in its UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
Click on any entity below to view its context and source!
infrastructure
10.0
The vendor addressed a maximum severity issue tracked as
CVE-2026-22557
(CVSS score of 10.0), which affects UniFi Network application version 10.1.85 and earlier.
infrastructure
10.1.85
The vendor addressed a maximum severity issue tracked as
CVE-2026-22557
(CVSS score of 10.0), which affects UniFi Network application version 10.1.85 and earlier.
"
Tracked as
CVE-2026-22557
, the security flaw impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later.
infrastructure
10.1.89
"
Tracked as
CVE-2026-22557
, the security flaw impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later.
Versions 10.1.89 or later addressed the vulnerability.
organisation
UniFi
The path-traversal vulnerability —
CVE-2026-22557
— affects software used to manage UniFi networking devices, including access points, gateways and switches.
Critical Ubiquiti UniFi UniFi security flaw allows potential account hijacking.
The UniFi Network app (also known as the UniFi Controller) is management software that helps configure, monitor, and optimize Ubiquiti UniFi networking hardware, such as access points, switches, and gateways.
organisation
Controller
The UniFi Network app (also known as the UniFi Controller) is management software that helps configure, monitor, and optimize Ubiquiti UniFi networking hardware, such as access points, switches, and gateways.
organisation
UniFi Network
Ubiquiti patched two vulnerabilities in its UniFi Network app, including a maximum-severity flaw that could enable account takeover.
"The preferred way to deploy UniFi Network is on a UniFi Cloud Gateway, rather than on a server, laptop, or other self-hosted environment.
organisation
The Ubiquiti UniFi Network
The Ubiquiti UniFi Network app is management software developed by Ubiquiti to control and monitor its UniFi networking devices.
organisation
Path Traversal
“A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.”
reads the advisory
.
"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account," the company
says in an advisory
published on Wednesday.
organisation
the UniFi Network Application
“A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.”
reads the advisory
.
Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.
organisation
UniFi Network Application
“An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges,” states the company.
"An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges," the company explained.
Researchers and threat hunters are scrambling to contain a maximum-severity defect in Ubiquiti’s UniFi Network Application that attackers could exploit to take over user accounts by accessing and manipulating files.
organisation
SecurityAffairs
Pierluigi Paganini
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
(
SecurityAffairs
–
hacking, UniFi Network Application)
organisation
The Red Report 2026
The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.
infrastructure
88,000 Application hosts
“Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”
Censys sensors observed nearly
88,000 UniFi Network Application hosts
publicly exposed to the internet as of Friday morning.
organisation
UniFi Networking Application
Ubiquiti defect poses account takeover risk for UniFi Networking Application users.
organisation
Censys
“As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
organisation
CyberScoop
“As of this morning, we have not observed any public proof-of-concept exploits or confirmed reports of exploitation in the wild,” Matthew Guidry, senior product detection engineer at Censys, told CyberScoop.
Tactical Metrics
Metrics
infrastructure
10.0
Software Version
Click for context!
The vendor addressed a maximum severity issue tracked as
CVE-2026-22557
(CVSS score of 10.0), which affects UniFi Network application version 10.1.85 and earlier.
Metrics
infrastructure
10.1.85
Software Version
The vendor addressed a maximum severity issue tracked as
CVE-2026-22557
(CVSS score of 10.0), which affects UniFi Network application version 10.1.85 and earlier.
"
Tracked as
CVE-2026-22557
, the security flaw impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later.
Metrics
infrastructure
10.1.89
Software Version
Versions 10.1.89 or later addressed the vulnerability.
"
Tracked as
CVE-2026-22557
, the security flaw impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later.
Metrics
infrastructure
88,000
Application Hosts
“Given that the CVSS 10 rating implies low attack complexity, we anticipate that once the specific vulnerable endpoint is identified, exploitation will be trivial to automate.”
Censys sensors observed nearly
88,000 UniFi Network Application hosts
publicly exposed to the internet as of Friday morning.
Intelligence Sources
Security Affairs
2026-03-19
BleepingComputer
2026-03-19
Max severity Ubiquiti UniFi flaw may allow account takeover
BleepingComputer
CyberScoop
2026-03-20
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-04-27T11:23
Comprehensive Tactical Telemetry
Highly Correlated Entities
12x
organisation
Identified Entity
UniFi
entity
3x
infrastructure
Software Version
10.0
version
3x
timeline
Temporal Reference
10.1.85 and earlier
date
3x
attribution
Attributing Entity
FBI
authority
2x
tactic
Cyber Operation Type
Privilege Escalation
tactic
2x
vulnerability
Exploited CVE
CVE-2026-22558
cve
2x
vulnerability
CVSS Score
8
score
2x
source region
Origin Country
Russian Federation
country
Contextual Telemetry
Context Block
7 METRICS
target region
Target Country
United States
country
general metric
Cve-2026
22,557
cve-2026
tactic
MITRE ATT&CK Technique
T1588.001 - Malware
technique
general metric
Red Report
2,026
red report
general metric
Malicious Samples
1,100,000
malicious samples
general metric
Top Techniques
10
top techniques
infrastructure
Application Hosts
88,000
application hosts
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.