ATEN Unizon uploadSSL Directory Traversal Vulnerability (CVE-2026-9775) Allows Arbitrary File Deletion
A directory traversal vulnerability in ATEN Unizon, tracked as CVE-2026-9775 with a CVSS score of 5.5, allows authenticated remote attackers to delete arbitrary files via the uploadSSL function.
Zero Day Initiative (ZDI) has disclosed a directory traversal vulnerability in ATEN Unizon, tracked as CVE-2026-9775, that allows authenticated remote attackers to delete arbitrary files on affected systems. The flaw, detailed in advisory ZDI-26-379, resides in the uploadSSL method and carries a CVSS score of 5.5, indicating a moderate severity level.
The vulnerability stems from improper validation of user-supplied paths before using them in file operations within the uploadSSL function. An attacker who has already obtained authentication credentials can exploit this flaw to delete arbitrary files on the target system, potentially leading to data loss or creating a denial-of-service condition by removing critical system files.
ATEN Unizon is a unified management platform used by organizations to centrally manage ATEN KVM switches, power distribution units, and other IT infrastructure devices. The product is deployed in data centers, server rooms, and enterprise environments where remote management and control of hardware is essential. The exact scope of affected versions has not been publicly detailed, but the advisory indicates that ATEN has issued an update to address the vulnerability.
ATEN has released a security advisory with details on the fix, available at their support center. Users are strongly advised to apply the update as soon as possible to mitigate the risk of exploitation. The advisory does not specify whether the vulnerability has been exploited in the wild, but given the public disclosure and the availability of technical details, administrators should prioritize patching.
The vulnerability was reported to ATEN by researcher Ahmed Y. Elmogy on March 13, 2026, and the coordinated public release occurred on June 24, 2026. The disclosure timeline shows responsible handling, with the vendor working to produce a fix before the advisory went public.
This disclosure is part of a broader pattern of directory traversal vulnerabilities being uncovered in ATEN Unizon. In recent weeks, ZDI has disclosed multiple similar flaws in the same product, including CVE-2026-9777 and CVE-2026-9778 (both allowing remote code execution) and CVE-2026-9776 (allowing unauthenticated information disclosure). The cumulative impact of these vulnerabilities underscores the importance of keeping ATEN Unizon installations up to date and limiting authenticated access to trusted users only.
Organizations using ATEN Unizon should review the vendor's security advisory and apply the recommended patch immediately. Additionally, administrators should audit user accounts and ensure that only necessary personnel have authenticated access to the management interface, as authentication is a prerequisite for exploiting this vulnerability.