CVE-2026-22563

Ubiquiti · UniFi Play

Multiple improper input validation vulnerabilities in UniFi Play devices allow attackers with network access to execute arbitrary commands via command injection.

Executive summary

Critical command injection vulnerabilities in UniFi Play devices allow unauthorized network actors to execute arbitrary code, resulting in total system compromise.

Vulnerability

Improper input validation allows a malicious actor with network access to the UniFi Play environment to inject and execute arbitrary system commands. This flaw permits the execution of unauthorized operations at the system level.

Business impact

With a CVSS score of 9.8, this vulnerability is critical. Successful exploitation allows for complete takeover of the affected device, potentially leading to data destruction, service outages, or the use of the device as a launchpad for further network attacks.

Remediation

Immediate Action: Update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later.

Proactive Monitoring: Inspect system logs for unexpected process execution or signs of command injection attempts, such as shell metacharacters in input fields.

Compensating Controls: Implement strict network access control lists (ACLs) to ensure only authorized personnel can communicate with the management ports of the UniFi Play devices.

Exploitation status

Public Exploit Available: False

Analyst recommendation

This vulnerability poses a significant risk to network integrity. It is imperative that administrators apply the provided firmware updates immediately and restrict access to the affected management network to prevent unauthorized command execution.