https://feed.craftedsignal.io/tags/unifi/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 14 Apr 2026 14:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-unifi-path-traversal/Tue, 14 Apr 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unifi-path-traversal/A path traversal vulnerability in UniFi Play devices allows an attacker with network access to write arbitrary files, leading to remote code execution.CVE-2026-22562 describes a critical path traversal vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) devices. An attacker with access to the UniFi Play network can exploit this vulnerability to write arbitrary files on the file system. This capability can then be leveraged to achieve remote code execution (RCE) on the vulnerable device. Successful exploitation requires network access to the affected UniFi Play devices, making internal networks the primary target. The vulnerability was disclosed in April 2026. Defenders should prioritize patching vulnerable devices to prevent potential compromise.

Attack Chain

1. Attacker gains access to the UniFi Play network (e.g., via compromised credentials or network intrusion).
2. Attacker identifies a vulnerable UniFi Play device (PowerAmp <= 1.0.35 or Audio Port <= 1.0.24).
3. Attacker crafts a malicious HTTP request containing a path traversal sequence (e.g., “../../../”) in a file upload or download parameter.
4. The vulnerable device processes the request without proper sanitization, allowing the attacker to write a file to an arbitrary location on the file system.
5. Attacker writes a malicious script (e.g., a shell script or executable) to a location where it can be executed (e.g., a startup directory or cron job).
6. Attacker triggers the execution of the malicious script (e.g., by rebooting the device or waiting for the cron job to run).
7. The malicious script executes with the privileges of the UniFi Play device, granting the attacker remote code execution.
8. Attacker uses RCE to further compromise the device, pivot to other network assets, or establish persistence.

Impact

Successful exploitation of CVE-2026-22562 allows an attacker to gain complete control of the vulnerable UniFi Play device. This can lead to data exfiltration, device disruption, and further compromise of the network to which the device is connected. Given the potential for RCE, an attacker could potentially use compromised devices as entry points to other systems on the network, thus expanding their reach and increasing the overall impact of the attack. Organizations using affected UniFi Play devices are at high risk.

Recommendation

• Immediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22562 (see Overview).
• Monitor network traffic for suspicious HTTP requests containing path traversal sequences targeting UniFi Play devices using the provided Sigma rule (Path Traversal in URI).
• Implement network segmentation to limit the impact of a potential compromise of a UniFi Play device.
• Review and harden access controls to the UniFi Play network to prevent unauthorized access by potential attackers.

]]>criticaladvisorypath-traversalrceunifihttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/Mon, 13 Apr 2026 22:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unifi-play-access-control/An improper access control vulnerability in UniFi Play PowerAmp and Audio Port allows a malicious actor with access to the UniFi Play network to obtain WiFi credentials.CVE-2026-22566 describes an improper access control vulnerability affecting UniFi Play devices. Specifically, UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier) are vulnerable. A malicious actor who has already gained access to the UniFi Play network can exploit this vulnerability to obtain UniFi Play WiFi credentials. This vulnerability was reported by HackerOne and assigned a CVSS v3.1 base score of 7.5. The vulnerability was published on April 13, 2026. Updating the affected devices to the specified fixed versions is recommended to mitigate the risk.

Attack Chain

1. The attacker gains initial access to the UniFi Play network. (This step is a prerequisite and not detailed in the advisory)
2. The attacker leverages an access control flaw in the UniFi Play PowerAmp or Audio Port software.
3. A specially crafted request is sent to the vulnerable device via the local network.
4. The vulnerable device improperly handles the access control check.
5. The device divulges the stored WiFi credentials.
6. The attacker captures the exposed WiFi credentials.
7. The attacker uses the WiFi credentials to gain broader access to the wireless network.

Impact

Successful exploitation of CVE-2026-22566 allows an attacker with existing access to a UniFi Play network to obtain WiFi credentials. This could lead to unauthorized access to the wireless network, potentially compromising other devices and sensitive information on the network. While the specific number of affected users is unknown, any network utilizing vulnerable versions of UniFi Play PowerAmp or Audio Port is at risk. The impact is elevated if the compromised WiFi network provides access to critical infrastructure or sensitive data.

Recommendation

• Immediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to remediate CVE-2026-22566.
• Monitor network traffic for suspicious activity originating from UniFi Play devices after the vulnerability was disclosed (2026-04-13).
• Segment the UniFi Play network from other critical networks to limit the impact of a potential breach.
• Implement network access control policies to restrict access to sensitive resources from the UniFi Play network, even after applying the patch.

]]>mediumadvisoryvulnerabilityaccess-controlunifihttps://feed.craftedsignal.io/briefs/2026-04-unifi-command-injection/Mon, 13 Apr 2026 22:16:28 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unifi-command-injection/A malicious actor with access to the UniFi Play network can exploit improper input validation vulnerabilities (CVE-2026-22563) in UniFi Play PowerAmp and Audio Port to inject commands, potentially leading to arbitrary code execution.CVE-2026-22563 describes a critical command injection vulnerability affecting UniFi Play PowerAmp (version 1.0.35 and earlier) and UniFi Play Audio Port (version 1.0.24 and earlier). The vulnerability stems from improper input validation, which allows an attacker with access to the UniFi Play network to inject arbitrary commands. Successful exploitation could lead to unauthorized access, system compromise, and potentially full control of the affected devices. This vulnerability was reported to HackerOne and assigned a CVSS v3.1 score of 9.8, indicating its severity. It is crucial for organizations using these UniFi Play devices to apply the recommended updates to mitigate this risk.

Attack Chain

1. Attacker gains access to the UniFi Play network (e.g., through compromised credentials or network vulnerabilities).
2. Attacker identifies a vulnerable UniFi Play PowerAmp or Audio Port device running an affected software version (1.0.35 or earlier for PowerAmp, 1.0.24 or earlier for Audio Port).
3. Attacker crafts a malicious payload containing an injected command.
4. Attacker sends the malicious payload to the vulnerable device through a network request, exploiting the improper input validation vulnerability (CVE-2026-22563).
5. The vulnerable device fails to properly sanitize the input, allowing the injected command to be executed by the underlying operating system.
6. The injected command executes with the privileges of the UniFi Play application, potentially allowing the attacker to perform actions such as reading sensitive data, modifying system configurations, or installing malicious software.
7. Attacker establishes a reverse shell to maintain persistent access to the compromised device.
8. Attacker pivots to other devices in the network.

Impact

Successful exploitation of CVE-2026-22563 can lead to full system compromise of UniFi Play PowerAmp and Audio Port devices. An attacker could gain unauthorized access to sensitive data, disrupt audio services, or use the compromised devices as a foothold to pivot to other systems on the network. Given the high CVSS score of 9.8, the impact is considered critical. The specific number of affected devices and sectors remains unknown, but organizations utilizing UniFi Play devices are at risk.

Recommendation

• Immediately update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to patch CVE-2026-22563.
• Monitor network traffic for suspicious activity originating from UniFi Play devices.
• Implement network segmentation to limit the potential impact of a compromised device.
• Review and enforce strong password policies to prevent unauthorized network access.
• Deploy the Sigma rule for command injection attempts targeting UniFi Play devices (see below) to detect exploitation attempts in your environment.

]]>criticaladvisorycommand-injectionunificve-2026-22563https://feed.craftedsignal.io/briefs/2026-03-unifi-cert-bypass/Fri, 27 Mar 2026 22:16:19 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-unifi-cert-bypass/UniFi Network Controller versions before 5.10.22 and 5.11.x before 5.11.18 contain an improper certificate verification vulnerability, enabling adjacent network attackers to perform man-in-the-middle attacks by presenting a fraudulent SSL certificate during SMTP connections to intercept traffic and steal credentials.<p>CVE-2019-25652 affects UniFi Network Controller versions prior to 5.10.22 and 5.11.x before 5.11.18. The vulnerability stems from an improper certificate verification process during SMTP connections. An attacker positioned on an adjacent network can exploit this weakness to conduct man-in-the-middle (MitM) attacks. By presenting a false SSL certificate, the attacker can intercept SMTP traffic intended for the UniFi Network Controller, potentially gaining access to sensitive information…</p> highadvisoryunifimitmcredential-theftcve-2019-25652https://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/Sat, 21 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-unifi-vulns/A combination of path traversal (CVE-2026-22557) and NoSQL injection (CVE-2026-22558) vulnerabilities in the UniFi Network Application allows attackers to access files, escalate privileges, and potentially compromise the entire system.<p>The UniFi Network Application, a central platform for managing network devices across enterprise and SMB environments, is affected by two critical vulnerabilities: CVE-2026-22557 (Path Traversal) and CVE-2026-22558 (Authenticated NoSQL Injection). These vulnerabilities impact Official Release versions 10.1.85 and earlier, Release Candidate versions 10.2.93 and earlier, and UniFi Express (UX) versions 9.0.114 and earlier. Exploitation of CVE-2026-22557 enables attackers to access and manipulate…</p> criticaladvisoryunifipath-traversalnosql-injectioncve-2026-22557cve-2026-22558