On June 24, 2026, Trend Micro's Zero Day Initiative published advisory ZDI-26-379 detailing a vulnerability in ATEN Unizon that allows a remote authenticated attacker to delete arbitrary files and cause denial of service. The assigned CVE is CVE-2026-9775, with a CVSS 3.0 score of 5.5 — a MEDIUM rating that, on paper, doesn't sound the alarm. For system administrators managing critical infrastructure, however, the story is different: when file deletion hits essential components, the scoring formula discounts the real-world impact too heavily.
- Vulnerability ZDI-26-379 (CVE-2026-9775) resides in ATEN Unizon's
uploadSSLmethod, where unsanitized user-supplied paths enable directory traversal and arbitrary file deletion - Exploitation requires authentication: the attacker must have valid credentials, but once inside the impact on availability is high (A:H in the CVSS vector)
- The CVSS 3.0 score is 5.5 MEDIUM: vector AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H shows how the high-privilege requirement lowers integrity (I:L) but not availability
- ATEN has released a patch; the vulnerability was reported on March 13, 2026 and published after 103 days of coordinated disclosure
The Mechanism: How uploadSSL Yields to Directory Traversal
The flaw lies in the uploadSSL method of the ATEN Unizon product. According to the ZDI advisory, "the specific flaw exists within the uploadSSL method. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations." The missing validation allows an attacker to inject directory traversal sequences — classic constructs like ../ or variants — that bypass file access restrictions.
The result is an arbitrary file deletion operation on files the authenticated user should not have visibility into. The CWE-22 classification, "Improper Limitation of a Pathname to a Restricted Directory," confirms the structural nature of the defect: this is not a misconfiguration or an occasional oversight, but an absence of path sanitization at the code level.
"This vulnerability allows remote attackers to delete arbitrary files on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability." — ZDI Advisory ZDI-26-379
The CVSS 5.5 and the Operational Impact Paradox
Per the official CVE record, the vulnerability scores 5.5 with vector CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:H. Decoding: network attack vector (AV:N), low attack complexity (AC:L), high privileges required (PR:H), no user interaction (UI:N), unchanged scope (S:U), no confidentiality impact (C:N), low integrity impact (I:L), high availability impact (A:H).
The problem lies in the scoring math. The authentication requirement (PR:H) significantly depresses the overall value, compressing integrity to "low" despite arbitrary file deletion. But in operational practice, if the compromised account is an administrator or credentials have been stolen, the attacker can delete critical system files — essential binaries, databases, configurations — with denial-of-service effects that CVSS labels A:H but fails to translate into high overall severity.
This discrepancy is well known to risk management analysts: the CVSS v3.0 framework weights access as a prerequisite more heavily than effect. In enterprise environments where ATEN Unizon manages remote consoles and control infrastructure, a service outage from file deletion carries business continuity costs that the number 5.5 does not communicate to non-technical decision-makers.
The Coordination Timeline and the ATEN Patch
The vulnerability was reported to ATEN on March 13, 2026. After 103 days of coordinated disclosure, ZDI published the advisory on June 24, 2026 with coordinated release. ATEN has issued a corrective update: "ATEN has issued an update to correct this vulnerability," reads the advisory, though the specific affected versions and exact patch path are not detailed in the available dossier.
The prior internal ZDI identifier was ZDI-CAN-28503, tracked in the CVE record as a signal of the disclosure path. The choice of coordinated publication — rather than immediate disclosure — indicates the vendor responded within the standard 120-day window, though the dossier does not specify intermediate response dates or preliminary patch releases.
What to Do Now
For administrators managing ATEN Unizon deployments, the documented actions are four:
- Verify the presence of ATEN Unizon installations in the system inventory and map instances exposed to the network
- Apply the corrective update released by ATEN for vulnerability ZDI-26-379
- Factor in that exploitation requires authentication: assess credential protection as a complementary control to patching
- Monitor access logs for the
uploadSSLmethod to identify anomalous requests with directory traversal patterns
The dossier does not specify the exact nature of the update (minor release, hotfix, major version change) nor provide a direct patch URL. Organizations will need to consult the ATEN support portal with reference CVE-2026-9775.
Editorial Analysis: When the Number Is Not Enough
Case ZDI-26-379 exemplifies a systemic failure in risk communication: CVSS is a triage tool, not an operational storytelling device. A MEDIUM score of 5.5 can end up at the bottom of CISO prioritization lists, especially in summer when security teams are under pressure from multiple patches. Yet arbitrary file deletion in a remote management system like Unizon can equate to a complete outage if it hits service binaries.
The CVSS vector shows A:H — availability high — but the weight of the PR:H requirement dilutes it. For operators, the lesson is that score reading must be contextual: a 5.5 in an infrastructure management product has different implications than a 5.5 in an isolated desktop application. The formula does not distinguish, and the reader must know that.
Open questions remain. Specific affected versions are not listed in the brief. It does not emerge whether the vulnerability has been observed in the wild or if public exploit code exists. The exact path of the missing sanitization — which validation is absent, whether checks on .., path canonicalization, or directory allowlisting — is not detailed. These limits make a post-patch residual risk assessment difficult without direct testing.
For now, the source confirms a patch is available, the vector is known, and the impact is documented. The rest is work for network defenders.
Sources
Information verified against cited sources and current as of publication.