Executive Summary
CVE-2026-22562 is a critical path traversal vulnerability (CWE-22) in the firmware of UniFi Play PowerAmp and UniFi Play Audio Port devices. A malicious actor with access to the UniFi Play network can exploit this flaw to write arbitrary files to the device filesystem, enabling unauthenticated remote code execution with no privileges required.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This vulnerability was disclosed as part of Ubiquiti Security Advisory Bulletin 063 on April 13, 2026, alongside three related issues (CVE-2026-22563, CVE-2026-22564, CVE-2026-22566) affecting the same product family. All affected devices should be updated immediately.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-22562 |
| CWE | CWE-22 — Path Traversal |
| CVSS Score | 9.8 (Critical) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | High |
| Published | April 13, 2026 |
Affected Products
| Product | Affected Versions | Fixed Version |
|---|---|---|
| UniFi Play PowerAmp | v1.0.35 and earlier | v1.0.38 or later |
| UniFi Play Audio Port | v1.0.24 and earlier | v1.1.9 or later |
Related Vulnerabilities (Same Advisory)
Ubiquiti Security Advisory Bulletin 063 disclosed four CVEs affecting the UniFi Play product family:
| CVE | CVSS | Type | Impact |
|---|---|---|---|
| CVE-2026-22562 | 9.8 Critical | Path Traversal → RCE | Arbitrary file write → code execution |
| CVE-2026-22563 | 9.8 Critical | Command Injection | Unauthenticated OS command execution |
| CVE-2026-22564 | Medium | Improper Access Control | SSH enablement without authorization |
| CVE-2026-22566 | Medium | Improper Access Control | Wi-Fi credential theft |
The combination of CVE-2026-22562 and CVE-2026-22563 gives an unauthenticated attacker full device compromise capability.
Technical Analysis
Root Cause
The vulnerability exists in the firmware's file handling routines. Attacker-controlled input is used to construct file paths without adequate sanitization or normalization. By supplying path traversal sequences (e.g., ../../../), an attacker on the UniFi Play network can escape the intended directory context and write files to arbitrary locations on the device filesystem.
Attack Chain
Once arbitrary file write is achieved, several paths to remote code execution are available:
- Startup script injection — Write a malicious script to an auto-executed location (init.d, cron, rc.local)
- Binary replacement — Overwrite a system binary or service executable with a malicious version
- Configuration tampering — Modify device configuration files to alter service behavior or enable backdoor access
Because the device runs firmware on embedded hardware, file writes that survive a reboot can achieve persistent compromise.
Network Requirement
Exploitation requires the attacker to have network access to the UniFi Play network segment where the device is deployed. This is typically a local Wi-Fi or LAN segment, not the wider internet — however, in improperly segmented networks (e.g., flat IoT networks, shared office networks, or networks with a compromised device already present), this access level is commonly achievable.
Exploitation Status
No public proof-of-concept exploit code had been released at the time of this advisory. The CVSS score and access requirements suggest moderate exploitation difficulty, though the lack of authentication requirements makes the vulnerability highly attractive for opportunistic attackers once a PoC becomes available.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Full code execution on the device as root/privileged user |
| Device Takeover | Complete control of UniFi Play device |
| Network Pivot | Compromised device can be used to pivot into the local network |
| Credential Theft | CVE-2026-22566 (same advisory) allows Wi-Fi credential extraction |
| Persistence | File writes to startup locations survive device reboots |
| No Authentication Required | Any attacker on the network segment is a potential threat actor |
Remediation
Immediate: Update Firmware
Apply the fixed firmware versions via the UniFi controller or UniFi mobile app:
| Device | Update To |
|---|---|
| UniFi Play PowerAmp | v1.0.38 or later |
| UniFi Play Audio Port | v1.1.9 or later |
# Verify installed firmware version via UniFi Network Application
# Navigate to: Devices → [Device Name] → Settings → Firmware
# Alternatively, check from SSH (if enabled):
cat /etc/board.info | grep -i versionNetwork Segmentation
Isolate IoT/audio devices from general corporate or guest networks:
Recommended network topology:
├── Corporate LAN (VLAN 10) — workstations, servers
├── IoT/AV Network (VLAN 20) — UniFi Play, AV equipment
│ └── Blocked: IoT → Corporate LAN
│ └── Blocked: IoT → Internet (unless required)
└── Guest Network (VLAN 30) — visitor Wi-Fi
└── Blocked: Guest → IoT, Guest → Corporate
Proper VLAN segmentation means that even if a device is compromised, the blast radius is limited to the IoT segment.
Disable Unused Services
If SSH access is enabled on affected devices, disable it until the firmware is updated (relevant to CVE-2026-22564 in the same advisory):
# Check if SSH is enabled on the device
# Via UniFi Network Application: Devices → [Device] → Settings → Advanced → SSHDetection
Monitor for signs of exploitation or post-compromise activity:
| Indicator | Description |
|---|---|
| Unexpected outbound connections from UniFi Play devices | Potential C2 or exfiltration |
| SSH enabled on devices where it was previously disabled | CVE-2026-22564 exploitation |
| New files in system directories with unusual timestamps | File write exploitation |
| Device configuration changes without admin action | Tampering indicator |
| Unusual processes running on device | Post-exploitation activity |
# Check for unexpected network connections from UniFi Play devices
# Monitor via Wireshark, pfSense firewall logs, or UniFi network insights
# UniFi Network Application: Insights → Client → Filter by UniFi Play devices
# Look for: unexpected destinations, large data transfers, non-standard ports