ATEN Unizon Directory Traversal Vulnerability (CVE-2026-9776) Allows Unauthenticated Information Disclosure
A directory traversal vulnerability in ATEN Unizon, tracked as CVE-2026-9776 with a CVSS score of 7.5, allows unauthenticated remote attackers to disclose sensitive information at the SYSTEM level.
Zero Day Initiative (ZDI) has disclosed a directory traversal vulnerability in ATEN Unizon that allows unauthenticated remote attackers to read arbitrary files on affected systems. Tracked as CVE-2026-9776 with a CVSS score of 7.5, the flaw resides in the writeFileToHttpServletResponse method and does not require any authentication for exploitation.
The vulnerability stems from improper validation of user-supplied paths before using them in file operations. Specifically, the writeFileToHttpServletResponse function fails to sanitize directory traversal sequences such as ../, allowing an attacker to navigate outside the intended web root and access sensitive files. Because the application runs with SYSTEM privileges on Windows systems, the attacker can read any file on the system, including password hashes, configuration files, and other confidential data.
ATEN Unizon is a centralized management platform used to remotely monitor and control ATEN KVM switches, power distribution units, and other data center equipment. The software is widely deployed in enterprise environments, data centers, and broadcasting facilities where remote IT infrastructure management is critical. According to Shodan, over 4,000 Unizon instances are exposed to the internet, making them potential targets for exploitation.
ZDI reports that this vulnerability has not yet been observed being exploited in the wild, but the lack of authentication requirement makes it attractive to attackers. Successful exploitation could allow threat actors to harvest credentials, keys, and other sensitive data that could then be used for further compromise of the affected network.
ATEN has released a security update to address CVE-2026-9776. Users are urged to apply the patch immediately, available via the ATEN Security Advisory. Additionally, administrators should restrict access to the Unizon web interface to trusted IP addresses only, and consider placing the management interface behind a VPN or firewall.
The vulnerability was discovered and reported by researcher Ahmed Y. Elmogy, who followed ZDI's coordinated disclosure process. The timeline shows the vulnerability was reported on March 13, 2026, and the advisory was released on June 24, 2026.
This disclosure is the latest in a series of ZDI advisories targeting ATEN Unizon, following earlier reports of authenticated directory traversal flaws (CVE-2026-9777 and CVE-2026-9778) that allowed remote code execution. While those bugs required authentication, CVE-2026-9776 lowers the bar significantly by allowing unauthenticated file reads, increasing the risk to unpatched systems.