Skip to main content

Ubiquiti CVE-2026-22564

| EUVDEUVD-2026-22093 CRITICAL
Improper Access Control (CWE-284)
2026-04-13 hackerone GHSA-h9r9-rwmc-3wm5
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

9
Patch released
Apr 30, 2026 - 16:14 nvd
Patch available
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 05:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.38,1.1.9
Analysis Generated
Apr 15, 2026 - 12:36 vuln.today
EUVD ID Assigned
Apr 13, 2026 - 21:45 euvd
EUVD-2026-22093
Analysis Generated
Apr 13, 2026 - 21:45 vuln.today
CVE Published
Apr 13, 2026 - 21:28 nvd
CRITICAL 9.8

DescriptionCVE.org

An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.

Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port  (Version 1.0.24 and earlier)

Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port  to Version 1.1.9 or later

AnalysisAI

Remote unauthenticated attackers can enable SSH and gain complete system control on Ubiquiti UniFi Play PowerAmp (≤1.0.35) and UniFi Play Audio Port (≤1.0.24) devices via improper access control. The vulnerability bypasses authentication mechanisms, allowing network-accessible adversaries to modify system configurations with critical impact across confidentiality, integrity, and availability (CVSS 9.8). No public exploit identified at time of analysis, with low EPSS probability (0.01%, 3rd percentile) suggesting limited observed exploitation attempts despite the critical severity rating.

Technical ContextAI

This vulnerability affects Ubiquiti's UniFi Play audio management ecosystem, specifically the PowerAmp and Audio Port devices designed for commercial audio distribution over IP networks. The issue stems from CWE-284 (Improper Access Control), a broad category indicating insufficient enforcement of access restrictions. The vulnerability manifests in the SSH service management interface, where authorization checks fail to prevent unauthorized callers from toggling SSH daemon state. The affected products run embedded Linux firmware with network-accessible management interfaces. CPE identifiers cpe:2.3:a:ubiquiti_inc:unifi_play_poweramp and cpe:2.3:a:ubiquiti_inc:unifi_play_audio_port confirm the scope. The CVSS vector AV:N indicates exploitation via standard network protocols without requiring local or adjacent network access, while AC:L confirms no mitigating complexity factors like race conditions or cryptographic challenges. The vulnerability was responsibly disclosed through HackerOne's bug bounty program before public disclosure.

RemediationAI

Immediately update UniFi Play PowerAmp devices to version 1.0.38 or later and UniFi Play Audio Port devices to version 1.1.9 or later, as specified in Ubiquiti Security Advisory Bulletin 063 (https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83). Patches are vendor-released and address the improper access control flaw. Until patching is complete, implement compensating controls including isolating UniFi Play devices to dedicated management VLANs with firewall restrictions permitting only authorized administrator source IP addresses, disabling remote management access if not operationally required, and monitoring device logs for unexpected SSH enablement or authentication attempts. Review existing device configurations to verify SSH has not been maliciously enabled on unpatched systems. Organizations using UniFi Network Controller or cloud-based management should verify automatic firmware updates are enabled to receive future security patches.

CVE-2026-34910 CRITICAL POC
10.0 May 22

Unauthenticated command injection in Ubiquiti UniFi OS devices allows remote attackers with network access to execute ar

CVE-2026-34909 CRITICAL POC
10.0 May 22

Path traversal in Ubiquiti UniFi OS devices allows network-adjacent attackers to read sensitive files from the underlyin

CVE-2026-34908 CRITICAL POC
10.0 May 22

Unauthorized system modification on Ubiquiti UniFi OS devices allows network-adjacent attackers to alter device configur

CVE-2013-1606 HIGH POC
7.5 Jul 18

Buffer overflow in the ubnt-streamer RTSP service on the Ubiquiti UBNT AirCam with airVision firmware before 1.1.6 allow

CVE-2026-22557 CRITICAL POC
10.0 Mar 19

A critical path traversal vulnerability exists in the UniFi Network Application that allows unauthenticated remote attac

CVE-2023-1458 CRITICAL POC
9.8 Mar 25

A vulnerability has been found in Ubiquiti EdgeRouter X 2.0.9-hotfix.6 and classified as critical. Rated critical severi

CVE-2023-24104 CRITICAL POC
9.8 Feb 23

Ubiquiti Networks UniFi Dream Machine Pro v7.2.95 allows attackers to bypass domain restrictions via crafted packets. Ra

CVE-2016-7792 HIGH POC
8.8 Jan 23

Ubiquiti Networks UniFi 5.2.7 does not restrict access to the database, which allows remote attackers to modify the data

CVE-2023-23912 HIGH POC
8.8 Feb 09

A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.5

CVE-2023-2375 HIGH POC
7.3 Apr 28

A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulne

CVE-2023-2374 HIGH POC
7.3 Apr 28

A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this

CVE-2023-2378 HIGH POC
7.3 Apr 28

A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Rated high severity (CVSS 7.3), this vulnerability

Share

CVE-2026-22564 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy