CRITICAL 3 min read 27 Mar 2026

Ubiquiti UniFi — CVE-2026-22557 Critical Path Traversal

A critical CVSS 10.0 vulnerability in Ubiquiti UniFi (CVE-2026-22557) allows unauthenticated path traversal and full system takeover. Simultaneously, the UK ransomware landscape has escalated with major data leaks at Vancompare Insurance (119GB) and the Royal Liverpool Philharmonic Orchestra. Additionally, a public Proof-of-Concept (PoC) for Cisco Catalyst SD-WAN (CVE-2026-20127) has been released, enabling unauthenticated root access to network infrastructure.

Key findings
01
Ubiquiti UniFi: Max-Severity Path Traversal (CVE-2026-22557)
CRITICAL
[High] Confidence: High Ubiquiti has disclosed a maximum-severity path traversal vulnerability in UniFi, tracked as CVE-2026-22557 (CVSS 10.0). The flaw allows unauthenticated attackers to traverse the filesystem and gain full system takeover, marking the third CVSS 10.0 vulnerability discovered in the UniFi ecosystem within the last 12 months.
CVE-2026-22557
02
UK Ransomware Escalation: Vancompare and Royal Liverpool Phil
HIGH
[High] Confidence: High The UK threat landscape has seen a sharp escalation in ransomware activity within the last 24 hours. Vancompare Insurance (UK) has been listed by the Payload ransomware group with a confirmed 119GB data leak, posing significant regulatory and reputational risks to the UK insurance sector.
03
Cisco Catalyst SD-WAN: Public PoC Released (CVE-2026-20127)
CRITICAL
[High] Confidence: High A public Proof-of-Concept (PoC) exploit has been released for a critical vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 9.8).
CVE-2026-20127
04
Update: Langflow AI Added to CISA KEV (CVE-2026-33017)
CRITICAL
[High] Confidence: High CISA has added the Langflow AI vulnerability (CVE-2026-33017, CVSS 10.0) to its Known Exploited Vulnerabilities (KEV) catalog. Active exploitation was confirmed within 20 hours of disclosure, targeting unauthenticated endpoints to harvest sensitive API keys from AI pipelines.
CVE-2026-33017
05
Update: Cisco FMC Confirmed Zero-Day (CVE-2026-20131)
HIGH
[High] Confidence: High Technical analysis has confirmed that the Cisco Firepower Management Center (FMC) vulnerability (CVE-2026-20131) was exploited as a zero-day by Interlock ransomware since January 2026.
CVE-2026-20131
06
Update: Citrix NetScaler NCSC Alert (CVE-2026-3055)
HIGH
[High] Confidence: High NCSC-UK has issued a formal alert regarding Citrix NetScaler vulnerabilities (CVE-2026-3055/4368), warning of imminent exploitation surges. UK-based organisations are advised to verify their patch status immediately to prevent session hijacking and credential theft.
CVE-2026-3055
07
Update: PTC Windchill Manufacturing Alert (CVE-2026-4681)
CRITICAL
[High] Confidence: High The German BKA and BSI have begun issuing direct notifications to manufacturing firms regarding active exploitation of PTC Windchill (CVE-2026-4681). The targeting of industrial supply chains remains a primary objective for state-sponsored and financially motivated actors.
CVE-2026-4681

Ubiquiti UniFi — CVE-2026-22557 Critical Path Traversal

Ubiquiti UniFi: Max-Severity Path Traversal (CVE-2026-22557)

Confidence: High

Ubiquiti has disclosed a maximum-severity path traversal vulnerability in UniFi, tracked as CVE-2026-22557 (CVSS 10.0). The flaw allows unauthenticated attackers to traverse the filesystem and gain full system takeover, marking the third CVSS 10.0 vulnerability discovered in the UniFi ecosystem within the last 12 months. Given the prevalence of UniFi in mid-market and branch office deployments, this represents a high-priority target for initial access brokers and ransomware affiliates. Organisations must apply vendor-issued patches immediately and rotate all internal secrets, as the vulnerability resides in a core component of the network management interface.

UK Ransomware Escalation: Vancompare and Royal Liverpool Phil

Confidence: High

The UK threat landscape has seen a sharp escalation in ransomware activity within the last 24 hours. Vancompare Insurance (UK) has been listed by the Payload ransomware group with a confirmed 119GB data leak, posing significant regulatory and reputational risks to the UK insurance sector. Simultaneously, the DragonForce ransomware group has claimed a successful attack on the Royal Liverpool Philharmonic Orchestra, indicating a continued focus on high-profile UK cultural and financial entities. These incidents highlight a trend of targeting UK mid-market organisations with substantial sensitive data holdings.

Cisco Catalyst SD-WAN: Public PoC Released (CVE-2026-20127)

Confidence: High

A public Proof-of-Concept (PoC) exploit has been released for a critical vulnerability in Cisco Catalyst SD-WAN, tracked as CVE-2026-20127 (CVSS 9.8). The exploit enables unauthenticated attackers to gain root access to the underlying operating system of vulnerable SD-WAN instances. With a functional PoC now in the public domain, the window for remediation has effectively closed, and active exploitation attempts are anticipated to surge across global network infrastructure over the coming weekend.

Update: Langflow AI Added to CISA KEV (CVE-2026-33017)

Confidence: High

CISA has added the Langflow AI vulnerability (CVE-2026-33017, CVSS 10.0) to its Known Exploited Vulnerabilities (KEV) catalog. Active exploitation was confirmed within 20 hours of disclosure, targeting unauthenticated endpoints to harvest sensitive API keys from AI pipelines.

Update: Cisco FMC Confirmed Zero-Day (CVE-2026-20131)

Confidence: High

Technical analysis has confirmed that the Cisco Firepower Management Center (FMC) vulnerability (CVE-2026-20131) was exploited as a zero-day by Interlock ransomware since January 2026. This pre-dates the official vendor patch by 36 days, highlighting a prolonged period of unmitigated risk for network administrators.

Update: Citrix NetScaler NCSC Alert (CVE-2026-3055)

Confidence: High

NCSC-UK has issued a formal alert regarding Citrix NetScaler vulnerabilities (CVE-2026-3055/4368), warning of imminent exploitation surges. UK-based organisations are advised to verify their patch status immediately to prevent session hijacking and credential theft.

Update: PTC Windchill Manufacturing Alert (CVE-2026-4681)

Confidence: High

The German BKA and BSI have begun issuing direct notifications to manufacturing firms regarding active exploitation of PTC Windchill (CVE-2026-4681). The targeting of industrial supply chains remains a primary objective for state-sponsored and financially motivated actors.

Why This Matters

The discovery of yet another CVSS 10.0 in Ubiquiti UniFi (CVE-2026-22557) exposes a persistent structural weakness in common network infrastructure. When coupled with the immediate weaponisation of AI frameworks (Langflow) and the revelation of long-standing zero-day exploitation in Cisco FMC, it is clear that the "window of exposure" has practically vanished. For UK organisations, the targeted strikes against the insurance and cultural sectors demonstrate that no industry is exempt from the current wave of high-impact data exfiltration.

  • Recommended Actions
  • Patch Ubiquiti UniFi (CVE-2026-22557) immediately; perform a full secret rotation (passwords, tokens, API keys) across the network management layer.
  • UK Insurance and Cultural entities should review their incident response playbooks and verify backup integrity following the attacks on Vancompare and the Royal Liverpool Phil.
  • Secure Cisco Catalyst SD-WAN (CVE-2026-20127) before the weekend exploitation surge; prioritise patching of all internet-facing management interfaces.
  • Audit Langflow AI and Cisco FMC instances to ensure they are fully patched and that no historical compromise indicators exist (specifically checking for Interlock ransomware TTPs).

All findings grounded in A13E intelligence sweeps through 08:10 UTC 27 March 2026.

ciscocve-2026-20127cve-2026-20131cve-2026-22557cve-2026-3055cve-2026-33017cve-2026-4681ransomwaresd-wanubiquiti

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed