Login Sign Up

CVE-2015-9266

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows unauthenticated attackers to upload arbitrary files via directory traversal in Ubiquiti network devices' web management interface. Attackers can exploit this to gain root privileges on affected devices. All Ubiquiti airMAX, airFiber, airGateway, and EdgeSwitch XP devices running versions prior to July 2015 security updates are affected.

💻 Affected Systems

Products:
  • Ubiquiti airMAX
  • Ubiquiti airFiber
  • Ubiquiti airGateway
  • Ubiquiti EdgeSwitch XP (formerly TOUGHSwitch)
Versions: All versions prior to July 2015 security updates
Operating Systems: airOS firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Web management interface enabled by default on these devices. All configurations with web interface accessible are vulnerable.

📦 What is this software?

Af5 Firmware by Ui

View all CVEs affecting Af5 Firmware →

Af5x Firmware by Ui

View all CVEs affecting Af5x Firmware →

Airfiber Af24 Firmware by Ui

View all CVEs affecting Airfiber Af24 Firmware →

Airfiber Af24hd Firmware by Ui

View all CVEs affecting Airfiber Af24hd Firmware →

Airgateway Firmware by Ui

View all CVEs affecting Airgateway Firmware →

Airmax Ac Firmware by Ui

View all CVEs affecting Airmax Ac Firmware →

Airmax M Ti Firmware by Ui

View all CVEs affecting Airmax M Ti Firmware →

Airmax M Xm Firmware by Ui

View all CVEs affecting Airmax M Xm Firmware →

Airmax M Xw Firmware by Ui

View all CVEs affecting Airmax M Xw Firmware →

Airos 4 Xs2 by Ubnt

View all CVEs affecting Airos 4 Xs2 →

Airos 4 Xs5 by Ubnt

View all CVEs affecting Airos 4 Xs5 →

Edgeswitch Xp Firmware by Ubnt

View all CVEs affecting Edgeswitch Xp Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with root access, allowing attackers to install persistent backdoors, intercept network traffic, pivot to internal networks, or use devices for botnet participation.

🟠

Likely Case

Remote code execution leading to device takeover, configuration modification, credential theft, and network disruption.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted web interface access and proper network segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable from internet without authentication, CVSS 9.8 indicates critical risk for exposed devices.
🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows lateral movement and network compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on Exploit-DB and HackerOne. Simple HTTP requests with directory traversal payloads can achieve root access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; EdgeSwitch XP 1.3.2

Vendor Advisory: https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

Restart Required: Yes

Instructions:

1. Log into device web interface. 2. Navigate to System > Upgrade. 3. Download appropriate firmware version from Ubiquiti downloads page. 4. Upload and apply firmware update. 5. Device will reboot automatically.

🔧 Temporary Workarounds

Disable Web Management Interface

all

Disable the vulnerable web interface and use alternative management methods

Use SSH/CLI to disable web interface: configure -> set service gui disable -> commit

Restrict Web Interface Access

linux

Limit access to web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

  • Place devices behind firewalls with strict inbound rules blocking all access to web management ports (80, 443, 8080)
  • Segment affected devices on isolated VLANs to prevent lateral movement if compromised

🔍 How to Verify

Check if Vulnerable:

Check current firmware version via web interface (System > Status) or SSH (show version). Compare with patched versions listed in advisory.

Check Version:

ssh admin@device_ip 'show version' or check web interface at System > Status

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions. Test web interface with directory traversal attempts (../) in file upload parameters.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing '../' sequences in file upload parameters
  • Unauthenticated file upload attempts to web interface
  • Unexpected file creation in system directories

Network Indicators:

  • HTTP POST requests to /upload.cgi or similar endpoints with traversal sequences
  • Unusual outbound connections from network devices

SIEM Query:

source="ubiquiti_logs" AND (http_uri="*../*" OR http_post_data="*../*")

📊 Metadata

CVE ID: CVE-2015-9266
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: September 5, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-9266, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)