ATEN Unizon Directory Traversal Vulnerability (CVE-2026-9778) Allows Remote Code Execution
A directory traversal vulnerability in ATEN Unizon, tracked as CVE-2026-9778 with a CVSS score of 7.2, allows authenticated remote attackers to execute arbitrary code at the SYSTEM level.
Zero Day Initiative (ZDI) disclosed a directory traversal remote code execution vulnerability in ATEN Unizon, tracked as CVE-2026-9778 with a CVSS score of 7.2. The flaw, reported by researcher Ahmed Y. Elmogy, allows an authenticated remote attacker to execute arbitrary code on affected installations by exploiting improper validation of user-supplied paths in the ImportDeviceList method.
The vulnerability resides in the ImportDeviceList method, where the software fails to properly validate a user-supplied path before using it in file operations. This lack of validation enables an attacker to traverse outside restricted directories, allowing file upload or overwrite operations that ultimately lead to code execution in the context of the SYSTEM user. Because authentication is required, the attack surface is limited to users who already have access to the Unizon management interface.
ATEN Unizon is a centralized management platform used by organizations to monitor and control ATEN KVM switches, power distribution units, and other IT infrastructure devices. The product is widely deployed in data centers, server rooms, and enterprise environments where remote management of hardware is critical. A successful exploit could give an attacker full control over the Unizon server, potentially allowing lateral movement to managed devices or exfiltration of sensitive configuration data.
ATEN has issued a security advisory and patch to address CVE-2026-9778. The advisory is available at ATEN's support center, and organizations running ATEN Unizon are strongly urged to apply the update as soon as possible. No workarounds have been published, making patching the only reliable mitigation.
This disclosure follows a related vulnerability in the same product: CVE-2026-9779, a cryptographic signature verification bypass also rated CVSS 7.2, which was disclosed earlier in June 2026. Together, these flaws highlight a pattern of security weaknesses in ATEN's Unizon platform that could be chained by attackers. The ZDI advisory notes that the vendor was notified on March 13, 2026, and the coordinated public release occurred on June 24, 2026.
Directory traversal vulnerabilities remain a common class of bugs in enterprise management software, often leading to severe consequences when combined with file upload capabilities. Organizations using ATEN Unizon should prioritize patching CVE-2026-9778 and review their deployment for any signs of compromise, especially if the management interface is exposed to untrusted networks.