UniFi Play path traversal to RCE, patch now (CVE-2026-22562)
CVE-2026-22562
A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code exec...
Overview
A critical security vulnerability, tracked as CVE-2026-22562, has been identified in specific UniFi Play devices. This flaw allows an attacker with network access to write arbitrary files to the system, which can be leveraged to achieve full remote code execution (RCE).
Affected Products
The vulnerability exists in the device firmware of the following products:
- UniFi Play PowerAmp: Version 1.0.35 and earlier.
- UniFi Play Audio Port: Version 1.0.24 and earlier.
Technical Details
The vulnerability is a path traversal flaw. In simple terms, it fails to properly validate file paths in network requests. A malicious actor on the same network as the UniFi Play device can exploit this weakness to write files to unintended locations on the device’s filesystem. By writing a malicious file, such as a script, the attacker can then trigger its execution, effectively taking control of the device. The attack requires no authentication (privileges) and no user interaction, making it highly severe.
Impact
If successfully exploited, this vulnerability grants an attacker complete control over the affected UniFi Play device. From there, an attacker could disrupt audio services, use the device as a foothold to attack other devices on the local network, or potentially exfiltrate data. Given the CVSS v3.1 base score of 9.8 (CRITICAL), this represents a significant risk to network security.
Remediation and Mitigation
The only complete remediation is to update the device firmware to a patched version.
- UniFi Play PowerAmp: Update to version 1.0.38 or later.
- UniFi Play Audio Port: Update to version 1.1.9 or later.
These updates should be applied immediately. As a temporary mitigation, if updating is not immediately possible, network segmentation can be used to isolate UniFi Play devices from untrusted networks and user devices to limit the potential attack surface.
Security Insight
This vulnerability highlights the persistent risk of path traversal flaws in embedded and IoT device firmware, a class of bug often stemming from simpler coding errors. Similar incidents in other network-attached storage and appliance products have shown that such flaws can provide a direct route from a network presence to full system compromise, underscoring the critical need for robust input validation in all network-facing services. For the latest on emerging threats, monitor our security news feed.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
ChurchCRM is an open-source church management system. Prior to 6.5.3, a path traversal vulnerability in ChurchCRM's backup restore functionality allows authenticated administrators to upload arbitrary...
Pegasus CMS 1.0 contains a remote code execution vulnerability in the extra_fields.php plugin that allows unauthenticated attackers to execute arbitrary commands by exploiting unsafe eval functionalit...
Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_toke...
ApostropheCMS is an open-source content management framework. Prior to version 3.5.3 of `@apostrophecms/import-export`, The `extract()` function in `gzip.js` constructs file-write paths using `fs.crea...