{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/unifi/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22562"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["path-traversal","rce","unifi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22562 describes a critical path traversal vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. An attacker with access to the UniFi Play network can exploit this vulnerability to write arbitrary files on the file system. This capability can then be leveraged to achieve remote code execution (RCE) on the vulnerable device. Successful exploitation requires network access to the affected UniFi Play devices, making internal networks the primary target. The vulnerability was disclosed in April 2026. Defenders should prioritize patching vulnerable devices to prevent potential compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the UniFi Play network (e.g., via compromised credentials or network intrusion).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable UniFi Play device (PowerAmp \u0026lt;= 1.0.35 or Audio Port \u0026lt;= 1.0.24).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP request containing a path traversal sequence (e.g., \u0026ldquo;../../../\u0026rdquo;) in a file upload or download parameter.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device processes the request without proper sanitization, allowing the attacker to write a file to an arbitrary location on the file system.\u003c/li\u003e\n\u003cli\u003eAttacker writes a malicious script (e.g., a shell script or executable) to a location where it can be executed (e.g., a startup directory or cron job).\u003c/li\u003e\n\u003cli\u003eAttacker triggers the execution of the malicious script (e.g., by rebooting the device or waiting for the cron job to run).\u003c/li\u003e\n\u003cli\u003eThe malicious script executes with the privileges of the UniFi Play device, granting the attacker remote code execution.\u003c/li\u003e\n\u003cli\u003eAttacker uses RCE to further compromise the device, pivot to other network assets, or establish persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22562 allows an attacker to gain complete control of the vulnerable UniFi Play device. This can lead to data exfiltration, device disruption, and further compromise of the network to which the device is connected. Given the potential for RCE, an attacker could potentially use compromised devices as entry points to other systems on the network, thus expanding their reach and increasing the overall impact of the attack. Organizations using affected UniFi Play devices are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22562 (see Overview).\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious HTTP requests containing path traversal sequences targeting UniFi Play devices using the provided Sigma rule (Path Traversal in URI).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential compromise of a UniFi Play device.\u003c/li\u003e\n\u003cli\u003eReview and harden access controls to the UniFi Play network to prevent unauthorized access by potential attackers.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T14:00:00Z","date_published":"2026-04-14T14:00:00Z","id":"/briefs/2026-04-unifi-path-traversal/","summary":"A path traversal vulnerability in UniFi Play devices allows an attacker with network access to write arbitrary files, leading to remote code execution.","title":"UniFi Play Path Traversal Vulnerability (CVE-2026-22562)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-path-traversal/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-22566"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["vulnerability","access-control","unifi"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22566 describes an improper access control vulnerability affecting UniFi Play devices. Specifically, UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) are vulnerable. A malicious actor who has already gained access to the UniFi Play network can exploit this vulnerability to obtain UniFi Play WiFi credentials. This vulnerability was reported by HackerOne and assigned a CVSS v3.1 base score of 7.5. The vulnerability was published on April 13, 2026. Updating the affected devices to the specified fixed versions is recommended to mitigate the risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to the UniFi Play network. (This step is a prerequisite and not detailed in the advisory)\u003c/li\u003e\n\u003cli\u003eThe attacker leverages an access control flaw in the UniFi Play PowerAmp or Audio Port software.\u003c/li\u003e\n\u003cli\u003eA specially crafted request is sent to the vulnerable device via the local network.\u003c/li\u003e\n\u003cli\u003eThe vulnerable device improperly handles the access control check.\u003c/li\u003e\n\u003cli\u003eThe device divulges the stored WiFi credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker captures the exposed WiFi credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the WiFi credentials to gain broader access to the wireless network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22566 allows an attacker with existing access to a UniFi Play network to obtain WiFi credentials. This could lead to unauthorized access to the wireless network, potentially compromising other devices and sensitive information on the network. While the specific number of affected users is unknown, any network utilizing vulnerable versions of UniFi Play PowerAmp or Audio Port is at risk. The impact is elevated if the compromised WiFi network provides access to critical infrastructure or sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to remediate CVE-2026-22566.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from UniFi Play devices after the vulnerability was disclosed (2026-04-13).\u003c/li\u003e\n\u003cli\u003eSegment the UniFi Play network from other critical networks to limit the impact of a potential breach.\u003c/li\u003e\n\u003cli\u003eImplement network access control policies to restrict access to sensitive resources from the UniFi Play network, even after applying the patch.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:16:28Z","date_published":"2026-04-13T22:16:28Z","id":"/briefs/2026-04-unifi-play-access-control/","summary":"An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.","title":"UniFi Play Improper Access Control Vulnerability (CVE-2026-22566)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-22563"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["command-injection","unifi","cve-2026-22563"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-22563 describes a critical command injection vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier). The vulnerability stems from improper input validation, which allows an attacker with access to the UniFi Play network to inject arbitrary commands. Successful exploitation could lead to unauthorized access, system compromise, and potentially full control of the affected devices. This vulnerability was reported to HackerOne and assigned a CVSS v3.1 score of 9.8, indicating its severity. It is crucial for organizations using these UniFi Play devices to apply the recommended updates to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to the UniFi Play network (e.g., through compromised credentials or network vulnerabilities).\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable UniFi Play PowerAmp or Audio Port device running an affected software version (1.0.35 or earlier for PowerAmp, 1.0.24 or earlier for Audio Port).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing an injected command.\u003c/li\u003e\n\u003cli\u003eAttacker sends the malicious payload to the vulnerable device through a network request, exploiting the improper input validation vulnerability (CVE-2026-22563).\u003c/li\u003e\n\u003cli\u003eThe vulnerable device fails to properly sanitize the input, allowing the injected command to be executed by the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe injected command executes with the privileges of the UniFi Play application, potentially allowing the attacker to perform actions such as reading sensitive data, modifying system configurations, or installing malicious software.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a reverse shell to maintain persistent access to the compromised device.\u003c/li\u003e\n\u003cli\u003eAttacker pivots to other devices in the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-22563 can lead to full system compromise of UniFi Play PowerAmp and Audio Port devices. An attacker could gain unauthorized access to sensitive data, disrupt audio services, or use the compromised devices as a foothold to pivot to other systems on the network. Given the high CVSS score of 9.8, the impact is considered critical. The specific number of affected devices and sectors remains unknown, but organizations utilizing UniFi Play devices are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22563.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity originating from UniFi Play devices.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the potential impact of a compromised device.\u003c/li\u003e\n\u003cli\u003eReview and enforce strong password policies to prevent unauthorized network access.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule for command injection attempts targeting UniFi Play devices (see below) to detect exploitation attempts in your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-13T22:16:28Z","date_published":"2026-04-13T22:16:28Z","id":"/briefs/2026-04-unifi-command-injection/","summary":"A malicious actor with access to the UniFi Play network can exploit improper input validation vulnerabilities (CVE-2026-22563) in UniFi Play PowerAmp and Audio Port to inject commands, potentially leading to arbitrary code execution.","title":"UniFi Play Command Injection Vulnerability (CVE-2026-22563)","url":"https://feed.craftedsignal.io/briefs/2026-04-unifi-command-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["unifi","mitm","credential-theft","cve-2019-25652"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2019-25652 affects UniFi Network Controller versions prior to 5.10.22 and 5.11.x before 5.11.18. The vulnerability stems from an improper certificate verification process during SMTP connections. An attacker positioned on an adjacent network can exploit this weakness to conduct man-in-the-middle (MitM) attacks. By presenting a false SSL certificate, the attacker can intercept SMTP traffic intended for the UniFi Network Controller, potentially gaining access to sensitive information…\u003c/p\u003e\n","date_modified":"2026-03-27T22:16:19Z","date_published":"2026-03-27T22:16:19Z","id":"/briefs/2026-03-unifi-cert-bypass/","summary":"UniFi Network Controller versions before 5.10.22 and 5.11.x before 5.11.18 contain an improper certificate verification vulnerability, enabling adjacent network attackers to perform man-in-the-middle attacks by presenting a fraudulent SSL certificate during SMTP connections to intercept traffic and steal credentials.","title":"UniFi Network Controller Improper Certificate Verification Vulnerability (CVE-2019-25652)","url":"https://feed.craftedsignal.io/briefs/2026-03-unifi-cert-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["unifi","path-traversal","nosql-injection","cve-2026-22557","cve-2026-22558"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe UniFi Network Application, a central platform for managing network devices across enterprise and SMB environments, is affected by two critical vulnerabilities: CVE-2026-22557 (Path Traversal) and CVE-2026-22558 (Authenticated NoSQL Injection). These vulnerabilities impact Official Release versions 10.1.85 and earlier, Release Candidate versions 10.2.93 and earlier, and UniFi Express (UX) versions 9.0.114 and earlier. Exploitation of CVE-2026-22557 enables attackers to access and manipulate…\u003c/p\u003e\n","date_modified":"2026-03-21T12:00:00Z","date_published":"2026-03-21T12:00:00Z","id":"/briefs/2026-03-unifi-vulns/","summary":"A combination of path traversal (CVE-2026-22557) and NoSQL injection (CVE-2026-22558) vulnerabilities in the UniFi Network Application allows attackers to access files, escalate privileges, and potentially compromise the entire system.","title":"UniFi Network Application Vulnerabilities CVE-2026-22557 and CVE-2026-22558","url":"https://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/"}],"language":"en","title":"CraftedSignal Threat Feed — Unifi","version":"https://jsonfeed.org/version/1.1"}