CVE-2026-22563
Ubiquiti · UniFi Play
Multiple improper input validation vulnerabilities in UniFi Play devices allow attackers with network access to execute arbitrary commands via command injection.
Executive summary
Critical command injection vulnerabilities in UniFi Play devices allow unauthorized network actors to execute arbitrary code, resulting in total system compromise.
Vulnerability
Improper input validation allows a malicious actor with network access to the UniFi Play environment to inject and execute arbitrary system commands. This flaw permits the execution of unauthorized operations at the system level.
Business impact
With a CVSS score of 9.8, this vulnerability is critical. Successful exploitation allows for complete takeover of the affected device, potentially leading to data destruction, service outages, or the use of the device as a launchpad for further network attacks.
Remediation
Immediate Action: Update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later.
Proactive Monitoring: Inspect system logs for unexpected process execution or signs of command injection attempts, such as shell metacharacters in input fields.
Compensating Controls: Implement strict network access control lists (ACLs) to ensure only authorized personnel can communicate with the management ports of the UniFi Play devices.
Exploitation status
Public Exploit Available: False
Analyst recommendation
This vulnerability poses a significant risk to network integrity. It is imperative that administrators apply the provided firmware updates immediately and restrict access to the affected management network to prevent unauthorized command execution.