CVE-2026-22557 dropped on March 18, 2026 — a CVSS 10.0 path traversal in Ubiquiti's UniFi Network Application that lets an unauthenticated attacker with network access take over any account, including admin. No credentials needed. No user interaction required.
That's bad enough on its own. But here's the real story: this is the third maximum-severity vulnerability in UniFi Network Application within 12 months. That's not bad luck — that's an architectural pattern.
If you run UniFi (and statistically, a lot of you do — it's the go-to for home labs, SMBs, and budget-conscious campus deployments), patch immediately and read on.
What's the Vulnerability?
| Attribute | Detail |
|---|---|
| CVE | CVE-2026-22557 |
| CVSS Score | 10.0 (Maximum) |
| Type | Path traversal |
| Attack Vector | Network (unauthenticated) |
| Impact | Full account takeover including admin |
| Affected | UniFi Network Application ≤ 9.0.118, ≤ 10.1.89, ≤ 10.2.97 |
| Patched | March 18, 2026 |
| Exploited in wild? | Not yet (as of March 21) |
The attack: send crafted requests to the UniFi management interface that manipulate file path parameters. The attacker can access and modify files on the underlying system, including files that control authentication — enabling full account takeover.
Censys senior product detection engineer Matthew Guidry noted: "Because this is a path-traversal vulnerability, the technical complexity for an attacker to develop an exploit is relatively low."
No public PoC exists yet, but with a CVSS 10 and low exploitation complexity on a massively deployed product, it's a matter of when, not if.
The Companion: CVE-2026-22558
Ubiquiti patched a second flaw alongside it — an authenticated NoSQL injection (CVE-2026-22558) that enables privilege escalation. By itself it requires credentials. But chain it with CVE-2026-22557's account takeover and you go from zero access to full admin in two steps.
| CVE-2026-22557 | CVE-2026-22558 | |
|---|---|---|
| Type | Path traversal | NoSQL injection |
| Auth required | No | Yes |
| Impact | Account takeover | Privilege escalation |
| CVSS | 10.0 | High |
| Chain | Standalone | Chain with 22557 → full compromise |
Three CVSS 10s in 12 Months — The Pattern
This isn't an isolated bug. CVE-2026-22557 is the third maximum-severity flaw in UniFi Network Application within a year. That pattern tells us something about the architecture:
- Insufficient input validation — path traversal and injection flaws mean user-supplied input isn't sanitized before processing
- Excessive privilege — the management app runs with enough system-level access that a web app flaw = full OS compromise
- Authentication bypass surface — multiple authentication bypass paths suggest the auth model has structural gaps
And this isn't just a Ubiquiti problem. Look at the industry:
| CVE | Product | CVSS | Type |
|---|---|---|---|
| CVE-2026-22557 | UniFi Network App | 10.0 | Path traversal |
| CVE-2026-20131 | Cisco FMC | 10.0 | Insecure deserialization |
| CVE-2026-20127 | Cisco SD-WAN vManage | 9.8 | Input validation |
| CVE-2025-52665 | UniFi Access | Critical | Auth bypass |
| CVE-2023-20198 | Cisco IOS-XE Web UI | 10.0 | Privilege escalation |
The common thread: web-based management interfaces are the #1 attack surface in networking, regardless of vendor.
What You Should Do Right Now
1. Patch
Update UniFi Network Application to latest:
- Cloud Gateways → update via UniFi OS interface
- Self-hosted → download latest from Ubiquiti
-
Docker →
docker pullthe latest image
2. Restrict Management Access
If your UniFi management interface is reachable from anything other than a dedicated management network, fix that:
- Bind management to a dedicated VLAN
- Use a reverse proxy with IP allowlisting for remote access
- Disable default cloud access if you don't need it
- Enable MFA on all admin accounts
3. Audit
- Check for unauthorized admin accounts or account modifications
- Review login history for anomalous access
- Verify no unexpected configuration changes
- If self-hosted, check file system integrity
4. Apply Management Plane Isolation Everywhere
Every network management platform should follow this model:
[Untrusted Networks / Internet]
↕ BLOCKED
[Management VLAN (isolated)]
├── UniFi Controller
├── Cisco FMC
├── DNA Center / Catalyst Center
└── Jump Host with MFA
↕ ALLOWED (authenticated + MFA)
[Admin Workstations]
This isn't optional anymore. When management platforms from multiple vendors are dropping CVSS 10s regularly, treating them as trusted internal services is negligent.
The Bigger Picture for Engineers
The management plane — the part of your network that controls everything else — is consistently the weakest link. Whether you're running Ubiquiti UniFi in your home lab, Cisco FMC in production, or Arista CloudVision in your data center, the security principles are the same:
- Isolate management interfaces on dedicated networks
- Authenticate with strong credentials + MFA
- Authorize with RBAC — not everyone needs full admin
- Monitor all management plane access in real-time
- Patch management platforms with the same urgency as your firewalls
The irony is thick: the platforms we use to secure our networks are themselves the most attractive targets. Three CVSS 10.0 vulnerabilities in one product in one year is an architectural warning — not just for Ubiquiti, but for every vendor shipping web-based management consoles.
Patch today. Segment your management plane. Don't wait for the PoC.
Originally published at FirstPassLab. For more deep dives on network security and infrastructure engineering, visit firstpasslab.com.
AI Disclosure: This article was adapted from original research with AI assistance for editing and formatting. All technical claims are sourced from vendor advisories, Censys research, and NVD entries.
Top comments (0)