CVE-2015-9266

CRITICAL

Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP - Unauthenticated Path Traversal and Arbitrary File Write

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2015-9266. PoCs published by Metasploit, 93c08539, 93c08539, wvu, including Metasploit module exploits/linux/http/ubiquiti_airos_file_upload.

AI-analyzed exploit summary This Metasploit module exploits a pre-authentication arbitrary file upload vulnerability in Ubiquiti airOS to install a new root user and SSH key, enabling remote command execution. It leverages a path traversal technique to overwrite critical system files.

Description

The web management interface of Ubiquiti airMAX, airFiber, airGateway and EdgeSwitch XP (formerly TOUGHSwitch) allows an unauthenticated attacker to upload and write arbitrary files using directory traversal techniques. An attacker can exploit this vulnerability to gain root privileges. This vulnerability is fixed in the following product versions (fixes released in July 2015, all prior versions are affected): airMAX AC 7.1.3; airMAX M (and airRouter) 5.6.2 XM/XW/TI, 5.5.11 XM/TI, and 5.5.10u2 XW; airGateway 1.1.5; airFiber AF24/AF24HD 2.2.1, AF5x 3.0.2.1, and AF5 2.2.1; airOS 4 XS2/XS5 4.0.4; and EdgeSwitch XP (formerly TOUGHSwitch) 1.3.2.

Exploits (3)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/39853

View Code ZIP pw:eip

This Metasploit module exploits a pre-authentication arbitrary file upload vulnerability in Ubiquiti airOS to install a new root user and SSH key, enabling remote command execution. It leverages a path traversal technique to overwrite critical system files.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ubiquiti airOS < 5.6.2

No auth needed

Prerequisites: Network access to the target device · SSL/TLS enabled on port 443

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1098 - Account Manipulation T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by 93c08539 · textwebappscgi

https://www.exploit-db.com/exploits/39701

View Code ZIP pw:eip

This exploit demonstrates an arbitrary file write vulnerability in AirMax systems via a malformed POST request to login.cgi. The vulnerability allows unauthenticated attackers to overwrite or create files, such as SSH authorized_keys, leading to remote code execution.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: Ubiquiti AirMax (multiple versions)

No auth needed

Prerequisites: Network access to the target device · SSH public key for authorized_keys injection

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by 93c08539, wvu · rubypocunix

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/ubiquiti_airos_file_upload.rb

View Code ZIP pw:eip

This Metasploit module exploits a pre-authentication arbitrary file upload vulnerability in Ubiquiti airOS to install a new root user and SSH key, enabling remote command execution. It leverages a multipart form upload to overwrite critical system files like /etc/passwd and /etc/dropbear/authorized_keys.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Ubiquiti airOS < 5.6.2

No auth needed

Prerequisites: Network access to the target device · HTTPS (port 443) and SSH (port 22) connectivity

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1098 - Account Manipulation T1078 - Valid Accounts

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (7)

Core 7

Core References

Exploit, Third Party Advisory x_refsource_misc

https://www.rapid7.com/db/modules/exploit/linux/ssh/ubiquiti_airos_file_upload

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39701/

Issue Tracking, Third Party Advisory x_refsource_misc

https://hackerone.com/reports/73480

Vendor Advisory x_refsource_confirm

https://community.ubnt.com/t5/airMAX-Updates-Blog/Important-Security-Notice-and-airOS-5-6-5-Release/ba-p/1565949

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/39853/

Vendor Advisory x_refsource_misc

https://community.ubnt.com/t5/airMAX-General-Discussion/Virus-attack-URGENT-UBNT/td-p/1562940

Patch, Vendor Advisory x_refsource_confirm

https://community.ubnt.com/t5/airMAX-Updates-Blog/Security-Release-for-airMAX-TOUGHSwitch-and-airGateway-Released/ba-p/1300494

Scores

CVSS v3 9.8

EPSS 0.7900

EPSS Percentile 99.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-22

Status published

Products (12)

ubnt/airos_4_xs2 < 4.0.4

ubnt/airos_4_xs5 < 4.0.4

ubnt/edgeswitch_xp_firmware < 1.3.2

ui/af5_firmware < 2.2.1

ui/af5x_firmware < 3.0.2.1

ui/airfiber_af24_firmware < 2.2.1

ui/airfiber_af24hd_firmware < 2.2.1

ui/airgateway_firmware < 1.15

ui/airmax_ac_firmware 7.1.3

ui/airmax_m_ti_firmware < 5.6.2

... and 2 more

Published Sep 05, 2018

Tracked Since Feb 18, 2026