Ubiquiti has patched two vulnerabilities in the UniFi Network Application, including a maximum-severity flaw that may allow attackers to take over user accounts.

The UniFi Network app (also known as the UniFi Controller) is management software that helps configure, monitor, and optimize Ubiquiti UniFi networking hardware, such as access points, switches, and gateways.

"Combines powerful internet gateways with scalable WiFi and switching. Provides real-time traffic dashboards, visual topology maps, and optimization tips," the networking device manufacturer says. "The preferred way to deploy UniFi Network is on a UniFi Cloud Gateway, rather than on a server, laptop, or other self-hosted environment."

Tracked as CVE-2026-22557, the security flaw impacts UniFi Network application version 10.1.85 and earlier and is addressed in versions 10.1.89 or later.

Successful exploitation enables threat actors without privileges to exploit a path traversal vulnerability to access files on the targeted devices and potentially hijack user accounts in low-complexity attacks that don't require user interaction.

"A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account," the company says in an advisory published on Wednesday.

Ubiquiti also patched a second flaw in the UniFi Network app that attackers with low privileges can exploit for privilege escalation.

"An Authenticated NoSQL Injection vulnerability found in UniFi Network Application could allow a malicious actor with authenticated access to the network to escalate privileges," the company explained.

In recent years, Ubiquiti products have been targeted by both state-backed hacking groups and cybercriminals who hijacked them to build botnets designed to conceal malicious activity.

For instance, in February 2024, the FBI dismantled a botnet of hacked Ubiquiti Edge OS routers used by Russia's Main Intelligence Directorate of the General Staff (GRU) to proxy malicious traffic in attacks targeting the United States and its allies.