Skip to main content

Ubiquiti CVE-2026-22562

| EUVDEUVD-2026-22091 CRITICAL
Path Traversal (CWE-22)
2026-04-13 hackerone GHSA-vpqx-f7gf-qp3x
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 30, 2026 - 16:14 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.38,1.1.9
Analysis Generated
Apr 15, 2026 - 12:36 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 21:45 euvd
EUVD-2026-22091
Analysis Generated
Apr 13, 2026 - 21:45 vuln.today
CVE Published
Apr 13, 2026 - 21:28 nvd
CRITICAL 9.8

DescriptionCVE.org

A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).

Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port  (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port  to Version 1.1.9 or later

AnalysisAI

Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai

Technical ContextAI

This vulnerability exploits CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The affected products-Ubiquiti UniFi Play PowerAmp and Audio Port devices-are network-connected audio equipment deployed in commercial and residential installations. The flaw resides in the device firmware's file handling routines, which fail to properly sanitize file path inputs. Attackers can use directory traversal sequences (e.g., '../../../') to escape restricted directories and write files to arbitrary locations on the underlying Linux-based operating system. By writing malicious files to executable paths, startup scripts, or web application directories, attackers can achieve persistent remote code execution with the privileges of the firmware process (likely root or system-level). The CPE identifiers (cpe:2.3:a:ubiquiti_inc:unifi_play_poweramp and cpe:2.3:a:ubiquiti_inc:unifi_play_audio_port) confirm these are embedded device firmwares, not traditional server applications, making filesystem-level access particularly dangerous.

RemediationAI

Vendor-released patches are available: upgrade UniFi Play PowerAmp to firmware version 1.0.38 or later, and upgrade UniFi Play Audio Port to firmware version 1.1.9 or later. Firmware updates should be applied via the UniFi controller interface or device management console following standard Ubiquiti update procedures. Until patching is complete, implement network-level mitigations: restrict access to device management interfaces using firewall rules or VLANs to trusted administrator networks only, disable remote management if not required, and monitor device logs for unusual file write operations or unexpected network connections. Organizations without immediate patching capability should air-gap affected devices from untrusted networks. Detailed update instructions and firmware downloads available in Ubiquiti Security Advisory Bulletin 063: https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83. Verify firmware versions post-update and audit network segmentation policies for embedded audio/IoT devices.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2013-1606 HIGH POC
7.5 Jul 18

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow

CVE-2026-22557 CRITICAL POC
10.0 Mar 19

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac

CVE-2023-1458 CRITICAL POC
9.8 Mar 25

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi

CVE-2023-24104 CRITICAL POC
9.8 Feb 23

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra

CVE-2016-7792 HIGH POC
8.8 Jan 23

Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data

CVE-2023-23912 HIGH POC
8.8 Feb 09

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5

CVE-2023-2375 HIGH POC
7.3 Apr 28

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne

CVE-2023-2374 HIGH POC
7.3 Apr 28

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this

CVE-2023-2378 HIGH POC
7.3 Apr 28

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability

Share

CVE-2026-22562 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy