CVE-2026-22564

Ubiquiti · UniFi Play

An improper access control flaw in UniFi Play devices allows unauthorized users with network access to enable SSH and perform arbitrary system changes.

Executive summary

Critical access control vulnerabilities in UniFi Play PowerAmp and Audio Port allow unauthorized network actors to enable SSH, leading to potential full system compromise.

Vulnerability

The vulnerability stems from improper access control mechanisms, which can be exploited by an actor with network access to the UniFi Play environment to toggle SSH capabilities. Once SSH is enabled, the attacker can gain unauthorized administrative control over the affected hardware.

Business impact

The CVSS score of 9.8 reflects the high probability of total device compromise. Unauthorized SSH access permits an attacker to alter system configurations, intercept traffic, or pivot into other segments of the internal network, causing significant operational disruption.

Remediation

Immediate Action: Update UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later.

Proactive Monitoring: Monitor network traffic for unauthorized SSH connections originating from unknown internal hosts or suspicious administrative commands.

Compensating Controls: Restrict network access to the UniFi Play management interfaces using VLAN segmentation or hardware-based firewalls to prevent unauthorized access.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Given the ease of potential device takeover, organizations should expedite the firmware updates for all deployed UniFi Play units. Ensure that management interfaces are isolated from general user traffic to reduce the attack surface.