Ubiquiti UniFi zero‑auth flaw

NVD records CVE‑2026‑22557 as a path‑traversal weakness with a CVSS v3.1 base score of 10.0 and credits HackerOne as the CNA, with the record added to NVD on March 19, 2026. Ubiquiti published Security Advisory Bulletin 062 on March 18, 2026 and identified affected UniFi Network Application builds as official releases 10.1.85 and earlier, release‑candidate 10.2.93 and earlier, and UniFi Express (UX) builds using Network app 9.0.114 and earlier. Vendor analysis and advisories state the flaw is exploitable with only network access and allows arbitrary file read/write on the underlying system, enabling full account takeover or system‑level compromise without authentication. Ubiquiti issued emergency updates and advised immediate upgrades; the vendor also recommended UniFi OS Server for self‑hosted deployments as part of the remediation guidance while patches were distributed. Asset‑exposure mapping surfaced quickly: Censys published an advisory and host‑maps for internet‑exposed UniFi instances, and asset‑inventory vendors such as runZero released detection/playbook notes to locate affected deployments. National authorities and multiple security vendors urged prioritizing patching and configuration validation, and noted Ubiquiti’s advisory contains no confirmed reports of active exploitation in the wild as of the March 18–19, 2026 disclosures.