cbcvebase.
CVE-2026-22557
published 2026-03-19

CVE-2026-22557: A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the…

PriorityP184critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
15.60%
96.4th percentile
A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account.

Affected

3 ranges
VendorProductVersion rangeFixed in
ubiquiti_incunifi_network_application>= 10.1.89 < 10.1.8910.1.89
ubiquiti_incunifi_network_application>= 10.2.97 < 10.2.9710.2.97
ubiquiti_incunifi_network_application>= 9.0.118 < 9.0.1189.0.118

Detection & IOCsextracted from sources · hover to see the quote

urlGET /guest/s/default/login?page_error=..%2F..%2Fweb.xml HTTP/1.1
path/guest/s/default/login?page_error=..%2F..%2Fweb.xml
urlhttps://github.com/ThePotatoOfDoom/CVE-2026-22557-PoC
yara
contains_all(body, "","<web-app") AND contains(content_type, "application/xml") AND status_code == 200
  • Path traversal payload targets the 'page_error' parameter in the UniFi guest portal login endpoint, using URL-encoded '../' sequences to reach web.xml on the underlying system.
  • Exploit requires no authentication (PR:N, UI:N) and is network-reachable; look for unauthenticated GET requests to /guest/s/default/login with 'page_error' parameter containing path traversal sequences.
  • Successful exploitation response contains '<web-app' in the body with content-type 'application/xml' and HTTP 200 status — use these as detection response indicators.
  • Referer header in exploit request is crafted with MAC address and SSID parameters; monitor for suspicious Referer values on UniFi guest portal endpoints.
  • Censys is tracking nearly 87,000 Internet-exposed UniFi Network endpoints; prioritize patching internet-facing instances.
  • ·Vulnerability affects UniFi Network Application version 10.1.85 and earlier; fixed in version 10.1.89 or later.
  • ·The Nuclei template is verified and requires only 1 HTTP request (max-request: 1), making it very low-noise for scanning.
  • ·A public proof-of-concept exploit exists on GitHub, increasing the likelihood of active exploitation.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.