Description
ATEN Unizon ImportDeviceList Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability.

The specific flaw exists within the ImportDeviceList method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-28579.
Published: 2026-06-24
Score: 7.2 High
EPSS: 1.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw resides in the ImportDeviceList method, where an attacker, after authenticating, can supply an unsanitized file path that the system uses for file operations. This directory traversal leads to arbitrary code being executed with SYSTEM privileges. The vulnerability belongs to CWE-22. The impact is the ability to run any code on the affected ATEN Unizon installation.

Affected Systems

ATEN Unizon devices are affected. No specific version information is listed in the advisory.

Risk and Exploitability

The CVSS score is 7.2, indicating a high severity. The EPSS score is 1%, indicating a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog, but it requires authentication, so only authenticated users can leverage it, which narrows the threat surface. Attackers would first gain valid credentials and then invoke the vulnerable ImportDeviceList functionality to trigger the traversal and execute code.

Generated by OpenCVE AI on June 25, 2026 at 14:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or firmware update from ATEN that validates the ImportDeviceList path parameter.
  • If a patch is not yet available, restrict the ImportDeviceList API to trusted internal networks or strong authentication to prevent unauthorized use.
  • Configure network firewall rules to block external access to the Unizon management interface if not required.

Generated by OpenCVE AI on June 25, 2026 at 14:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Aten
Aten unizon
Vendors & Products Aten
Aten unizon

Thu, 25 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description ATEN Unizon ImportDeviceList Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the ImportDeviceList method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-28579.
Title ATEN Unizon ImportDeviceList Directory Traversal Remote Code Execution Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_0

{'score': 7.2, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: zdi

Published:

Updated: 2026-06-25T12:50:45.882Z

Reserved: 2026-05-27T22:19:33.876Z

Link: CVE-2026-9778

cve-icon Vulnrichment

Updated: 2026-06-25T12:50:36.279Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:40:03Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')