Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionCVE.org
A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).
Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later
AnalysisAI
Path traversal in UniFi Play PowerAmp (≤1.0.35) and Audio Port (≤1.0.24) firmware allows unauthenticated remote attackers to write arbitrary files for remote code execution. CVSS 9.8 critical severity reflects network-accessible attack requiring no authentication or user interaction. EPSS score of 0.11% (30th percentile) suggests low immediate exploitation probability despite critical rating. No public exploit identified at time of analysis. Reported via HackerOne bug bounty, vendor patches avai
Technical ContextAI
This vulnerability exploits CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal or directory traversal. The affected products-Ubiquiti UniFi Play PowerAmp and Audio Port devices-are network-connected audio equipment deployed in commercial and residential installations. The flaw resides in the device firmware's file handling routines, which fail to properly sanitize file path inputs. Attackers can use directory traversal sequences (e.g., '../../../') to escape restricted directories and write files to arbitrary locations on the underlying Linux-based operating system. By writing malicious files to executable paths, startup scripts, or web application directories, attackers can achieve persistent remote code execution with the privileges of the firmware process (likely root or system-level). The CPE identifiers (cpe:2.3:a:ubiquiti_inc:unifi_play_poweramp and cpe:2.3:a:ubiquiti_inc:unifi_play_audio_port) confirm these are embedded device firmwares, not traditional server applications, making filesystem-level access particularly dangerous.
RemediationAI
Vendor-released patches are available: upgrade UniFi Play PowerAmp to firmware version 1.0.38 or later, and upgrade UniFi Play Audio Port to firmware version 1.1.9 or later. Firmware updates should be applied via the UniFi controller interface or device management console following standard Ubiquiti update procedures. Until patching is complete, implement network-level mitigations: restrict access to device management interfaces using firewall rules or VLANs to trusted administrator networks only, disable remote management if not required, and monitor device logs for unusual file write operations or unexpected network connections. Organizations without immediate patching capability should air-gap affected devices from untrusted networks. Detailed update instructions and firmware downloads available in Ubiquiti Security Advisory Bulletin 063: https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83. Verify firmware versions post-update and audit network segmentation policies for embedded audio/IoT devices.
Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar
Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin
Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur
Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow
A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac
A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi
Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra
Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability
Same weakness CWE-22 – Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22091
GHSA-vpqx-f7gf-qp3x