Call IT Assessment

Critical UniFi Vulnerability CVE-2026-22557 (CVSS 10.0) — AyeTech Patched 400+ Sites Within 24 Hours

Published: 20 March 2026 | Reading time: 8 minutes | Author: AyeTech Cyber Security Team

⚠️ CRITICAL: This Is An Emergency Patch Situation

If you are running UniFi Network Application version 10.1.85 or earlier, you need to update to 10.1.89 or later immediately. This is not a "patch when convenient" scenario. CVSS 10.0 means maximum severity. Stop reading and update your system now, then come back.

Key Takeaways

  • CVE-2026-22557 is maximum severity: CVSS 10.0 path traversal vulnerability published March 19, 2026
  • No authentication required: An attacker just needs network access to exploit this — they don't need your password
  • Full controller compromise: Successful exploitation gives attackers access to your entire network configuration, device list, WiFi passwords, and system files
  • AyeTech's response: We identified, tested, and patched all 400+ managed UniFi deployments within 24 hours
  • Why this matters: This is why you need a managed IT provider. Self-managed networks are still unpatched and at risk.

What Is CVE-2026-22557?

On March 19, 2026, Ubiquiti disclosed a critical vulnerability in UniFi Network Application. The flaw is a path traversal vulnerability — a class of bug that lets attackers navigate outside restricted directories and access files they should not be able to see.

In this case, an attacker with network access to your UniFi controller can traverse the underlying system's directories, read arbitrary files, and ultimately gain control of the controller itself. The vulnerability requires no authentication — just network access.

10.0 CVSS Severity Score (Maximum)
March 19 Publication Date, 2026
10.1.85 Last Affected Version
10.1.89+ Patched Version Required

There is also a secondary vulnerability, CVE-2026-22558, a NoSQL injection flaw (CVSS 7.7) that allows authenticated attackers to escalate privileges and access sensitive network data. Both vulnerabilities are patched in version 10.1.89 or later.

Why CVSS 10.0 Is Maximum Severity

The CVSS (Common Vulnerability Scoring System) scale goes from 0 to 10. A score of 10.0 is the highest possible rating and indicates:

  • No authentication required: An attacker doesn't need to log in or provide credentials
  • Network accessible: The vulnerability can be exploited remotely over the network
  • Complete system compromise: An attacker can gain full control of the affected system
  • No user interaction required: The attack doesn't require a user to click a link or take any action
  • No complexity: The vulnerability is trivial to exploit — no special skills required

Translation: this is one of the most dangerous types of vulnerability possible.

Which UniFi Systems Are Affected

Check Your Version Now

If you are running any of the versions listed below, your system is vulnerable and needs an emergency update.

  • UniFi Network Application 10.1.85 and earlier — VULNERABLE
  • UniFi Express (UX) 9.0.114 and earlier — VULNERABLE
  • Release Candidate 10.2.93 and earlier — VULNERABLE
  • UniFi Network Application 10.1.89 or later — PATCHED ✓

How to Check Your Version

  1. Log into your UniFi Network Application (usually https://your-controller-ip:8443 or the Ubiquiti Cloud portal)
  2. Look in the bottom left corner of the dashboard — your version is displayed there
  3. If it says 10.1.85 or earlier, you are vulnerable
  4. If it says 10.1.89 or later, you are patched

If you cannot access your controller or do not know your version, contact your IT provider immediately.

What an Attacker Can Do If They Exploit This Vulnerability

This is where the risk becomes very real. A successful exploitation of CVE-2026-22557 gives an attacker access to the complete UniFi controller and everything it manages.

Complete Network Compromise

An attacker with UniFi controller access can:

  • See every device connected to your network — computers, phones, printers, cameras, IoT devices
  • Access all VLAN configurations and see how your network is segmented
  • Retrieve WiFi passwords and security configurations
  • Create new admin accounts with full system access
  • Reconfigure firewall rules and access controls
  • Create shadow access points to maintain persistent backdoor access
  • Redirect traffic or perform man-in-the-middle attacks
  • See historical logs and connection records

In a business environment, UniFi controller compromise is equivalent to network compromise. An attacker with controller access has visibility and potentially access to every system on your network — file servers, databases, email systems, financial data, everything.

For a 30-person business, an unpatched UniFi controller is an open invitation for a complete breach.

How AyeTech Responded — Why Managed IT Saves You

24-Hour Emergency Response

AyeTech manages UniFi deployments across 400+ sites in Australia. When CVE-2026-22557 was published on March 19, here is what happened:

  1. Immediate Detection: AyeTech's security team monitors CVE feeds and Ubiquiti security advisories 24/7. The vulnerability was flagged within hours of publication.
  2. Severity Assessment: We assessed the impact — CVSS 10.0, no authentication required, path traversal to account takeover. Verdict: emergency patch situation.
  3. Lab Testing: Before deploying to 400 live networks, we tested the patch in our lab environment with real UniFi configurations to ensure stability, verify compatibility, and confirm the patch resolves the vulnerability without breaking anything else.
  4. Mass Deployment: Once verified, we deployed the patch across all 400+ managed sites in a coordinated, prioritised fashion — critical infrastructure first, then standard deployments.
  5. Verification: We verified that all sites successfully updated and confirmed that no sites were left vulnerable.

Result: All 400+ AyeTech-managed UniFi deployments were patched and secured within 24 hours of the CVE publication.

Why This Matters for Your Business

If you are self-managing your UniFi network:

  • You may not even know this CVE exists
  • You may not have a monitoring process for new vulnerabilities
  • You may not have a lab environment to test patches before deploying
  • You may not have the time or expertise to deploy patches across multiple sites
  • You may be running vulnerable systems right now without knowing it

This is the fundamental reason managed IT services exist.

What You Should Do Right Now

  • Check your UniFi version immediately. Log in and verify you are running 10.1.89 or later. If you are not, this is an emergency.
  • If you are vulnerable, update right now. Do not wait. Do not delay. This is a CVSS 10.0 vulnerability.
  • Verify the update was successful. After updating, log back in and confirm the version changed.
  • If you cannot update yourself, contact an IT provider today. If you have an MSP, call them now. If you don't, contact AyeTech.
  • Review your network access policies. Confirm that your UniFi controller is not exposed directly to the internet without authentication controls.
  • Check your controller logs. Look for unusual access patterns or failed login attempts that might indicate exploitation attempts.

Do Not Delay

If your UniFi system is vulnerable and exposed to the internet, attackers may already be actively targeting it. The longer you wait, the greater the risk. Update today.

Why Managed IT Protects You From This

This CVE is one example of dozens that affect networking equipment every year. Fortinet, SonicWall, Cisco, Palo Alto, Ubiquiti — every vendor has critical vulnerabilities. The question is not IF your infrastructure will have vulnerabilities, but HOW FAST you find out about them and patch them.

A Managed IT Provider Does This For You:

  • Continuous Monitoring: 24/7 monitoring of CVE databases, vendor security advisories, and industry threat feeds
  • Rapid Assessment: When a critical vulnerability is discovered, it is assessed immediately for your specific infrastructure
  • Lab Testing: Patches are tested in a controlled environment before being deployed to production
  • Coordinated Deployment: Updates are deployed across all managed systems in a prioritised, controlled manner
  • Verification: After patching, we verify that all systems are updated and no systems were missed
  • Documentation: All patching activity is logged and documented for compliance purposes

This is exactly what AyeTech did for our 400+ managed UniFi sites within 24 hours of the CVE publication.

If you are self-managing, you are betting that you will find out about critical vulnerabilities, understand how to assess them, have the time and expertise to patch them, and do it before your system is compromised. That is not a sustainable bet for a business of any size.

Is Your UniFi System Patched?

If you are not 100% certain you are running version 10.1.89 or later, contact AyeTech today. We can check your version, patch your system, and make sure you are protected from CVE-2026-22557.

Book a Network Security Assessment Call Now: 02 9188 8000

Or email us at [email protected] with your UniFi details and we will verify your patch status.

Frequently Asked Questions

What is CVE-2026-22557?

CVE-2026-22557 is a critical path traversal vulnerability (CVSS 10.0) in UniFi Network Application versions 10.1.85 and earlier. It allows an attacker with network access to traverse the underlying system's file structure, access arbitrary files, and ultimately take control of the UniFi controller. No authentication is required — just network access to the controller.

Which UniFi versions are affected?

CVE-2026-22557 affects UniFi Network Application version 10.1.85 and earlier, UniFi Express (UX) version 9.0.114 and earlier, and Release Candidate versions 10.2.93 and earlier. The patch is available in UniFi Network Application 10.1.89 or later.

How do I check my UniFi version?

Log into your UniFi Network Application (usually at your controller's IP address, e.g., https://192.168.1.1:8443, or through the Ubiquiti Cloud portal). The version number is displayed in the bottom left corner of the dashboard. If it shows 10.1.85 or earlier, you are vulnerable and need to update immediately.

What can an attacker do if they exploit this vulnerability?

An attacker with UniFi controller access can see every device on your network, access VLAN configurations, retrieve WiFi passwords, create new admin accounts, reconfigure firewall rules, create persistent backdoor access points, and potentially access every system connected to your network — servers, workstations, printers, cameras, and everything else.

Is my business at risk if my controller is not exposed to the internet?

The vulnerability requires "network access," which typically means someone on your local network or with VPN access. If your controller is behind a firewall and not directly internet-facing, your risk is lower but not zero. However, you should still patch immediately. If you have remote staff or VPN users, assume the controller is potentially reachable.

Should I stop using Ubiquiti UniFi?

No. UniFi is widely deployed in thousands of Australian businesses and remains a solid, enterprise-grade networking platform. Vulnerabilities will be discovered in any software product — that is the nature of software. The question is whether you have the capability to patch quickly when vulnerabilities are discovered. With proper patch management and a managed IT provider, UniFi remains secure and reliable.

About AyeTech

AyeTech is a Sydney-based managed IT services provider specialising in network infrastructure, cybersecurity, and managed services for Australian small and medium businesses. We manage 400+ UniFi deployments nationwide and respond to critical vulnerabilities like CVE-2026-22557 within 24 hours of publication.

Contact Information:

  • Phone: 02 9188 8000
  • Email: [email protected]
  • Address: Suite 203, Level 8, 99 Walker St, North Sydney, NSW 2060
  • Service Areas: Sydney, Melbourne, Brisbane, Perth, Adelaide

Related Resources: