CVE-2026-22565
Published: 13 April 2026
Summary
CVE-2026-22565 is a high-severity Improper Input Validation (CWE-20) vulnerability in Ui (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-22565 is an Improper Input Validation vulnerability (CWE-20) affecting UniFi Play PowerAmp versions 1.0.35 and earlier, as well as UniFi Play Audio Port versions 1.0.24 and earlier. The flaw enables a malicious actor with access to the UniFi Play network to send invalid input that causes the affected device to stop responding, resulting in a denial-of-service condition. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
The vulnerability can be exploited remotely over the network by any unauthenticated attacker with access to the UniFi Play network, requiring low complexity and no user interaction. Successful exploitation leads to the targeted device becoming unresponsive, disrupting audio playback or related services without compromising confidentiality or integrity.
Ubiquiti's Security Advisory Bulletin 063 recommends updating UniFi Play PowerAmp to version 1.0.38 or later and UniFi Play Audio Port to version 1.1.9 or later to mitigate the issue. Additional details are available at https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22094
Vulnerability details
An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding. Affected Products: UniFi Play PowerAmp (Version 1.0.35 and earlier) UniFi Play Audio Port (Version 1.0.24 and…
more
earlier) Mitigation: Update UniFi Play PowerAmp to Version 1.0.38 or later Update UniFi Play Audio Port to Version 1.1.9 or later
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper input validation enables remote unauthenticated DoS via application/system exploitation on affected network devices.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates input validation mechanisms to reject malformed inputs that could crash the device and cause denial-of-service.
Requires timely flaw remediation through patching to version 1.0.38+ for PowerAmp and 1.1.9+ for Audio Port, eliminating the improper input validation vulnerability.
Implements denial-of-service protections such as resource allocation and traffic filtering to mitigate network-based crashes from invalid inputs.