{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21638", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "state": "PUBLISHED", "assignerShortName": "hackerone", "dateReserved": "2026-01-01T15:00:02.339Z", "datePublished": "2026-01-08T16:14:22.563Z", "dateUpdated": "2026-02-26T15:04:54.587Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.\r\n\r\n\r\nAffected Products:\r\nUBB-XG (Version 1.2.2 and earlier) \r\nUDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) \r\nUBB (Version 3.1.5 and earlier) \r\n \r\nMitigation:\r\nUpdate your UBB-XG to Version 1.2.3 or later.\r\nUpdate your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later.\r\nUpdate your UBB to Version 3.1.7 or later."}], "affected": [{"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UBB-XG", "versions": [{"version": "0", "status": "affected", "lessThan": "1.2.3", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UDB-Pro/UDB-Pro-Sector", "versions": [{"version": "0", "status": "affected", "lessThan": "1.4.2", "versionType": "semver"}]}, {"defaultStatus": "unaffected", "vendor": "Ubiquiti Inc", "product": "UBB", "versions": [{"version": "0", "status": "affected", "lessThan": "3.1.7", "versionType": "semver"}]}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-01-08T16:14:22.563Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-09T04:55:28.516483Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:54.587Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21638", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-08T16:48:03.850272Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T16:48:20.274Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "Ubiquiti Inc", "product": "UBB-XG", "versions": [{"status": "affected", "version": "0", "lessThan": "1.2.3", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Ubiquiti Inc", "product": "UDB-Pro/UDB-Pro-Sector", "versions": [{"status": "affected", "version": "0", "lessThan": "1.4.2", "versionType": "semver"}], "defaultStatus": "unaffected"}, {"vendor": "Ubiquiti Inc", "product": "UBB", "versions": [{"status": "affected", "version": "0", "lessThan": "3.1.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1"}], "descriptions": [{"lang": "en", "value": "A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.\r\n\r\n\r\nAffected Products:\r\nUBB-XG (Version 1.2.2 and earlier) \r\nUDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) \r\nUBB (Version 3.1.5 and earlier) \r\n \r\nMitigation:\r\nUpdate your UBB-XG to Version 1.2.3 or later.\r\nUpdate your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later.\r\nUpdate your UBB to Version 3.1.7 or later."}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2026-01-08T16:14:22.563Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21638", "state": "PUBLISHED", "dateUpdated": "2026-01-09T04:55:27.784Z", "dateReserved": "2026-01-01T15:00:02.339Z", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2026-01-08T16:14:22.563Z", "assignerShortName": "hackerone"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ui:ubb-xg_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "D3F0A7CB-D400-4398-B59D-62849049956B", "versionEndExcluding": "1.2.3", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ui:ubb-xg:-:*:*:*:*:*:*:*", "matchCriteriaId": "F840F091-FA53-4F41-9DDE-F00C0C377EC5", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ui:udb-pro_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "691CC9AC-2146-4758-A112-63FD94997A40", "versionEndExcluding": "1.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ui:udb-pro:-:*:*:*:*:*:*:*", "matchCriteriaId": "5B87A97E-15F6-4524-BDE4-670C0E2FC8FB", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ui:udb-pro-sector_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "770CD4B8-8548-4797-9FCB-C10400E44EA2", "versionEndExcluding": "1.4.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ui:udb-pro-sector:-:*:*:*:*:*:*:*", "matchCriteriaId": "F050664F-2D0A-42D9-AF9A-DCC35E77991C", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:ui:ubb_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "52AAAA01-7576-46BD-AC80-09EA5B3D6263", "versionEndExcluding": "3.1.7", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:ui:ubb:-:*:*:*:*:*:*:*", "matchCriteriaId": "E6480788-66E3-496A-B1D8-4A190E5D2222", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.\r\n\r\n\r\nAffected Products:\r\nUBB-XG (Version 1.2.2 and earlier) \r\nUDB-Pro/UDB-Pro-Sector (Version 1.4.1 and earlier) \r\nUBB (Version 3.1.5 and earlier) \r\n \r\nMitigation:\r\nUpdate your UBB-XG to Version 1.2.3 or later.\r\nUpdate your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later.\r\nUpdate your UBB to Version 3.1.7 or later."}], "id": "CVE-2026-21638", "lastModified": "2026-01-14T21:06:07.787", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "support@hackerone.com", "type": "Secondary"}]}, "published": "2026-01-08T17:15:50.357", "references": [{"source": "support@hackerone.com", "tags": ["Vendor Advisory"], "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:37:45.405846+00:00", "value": {"mitigation_remediation": ["Upgrade UBB\u2011XG firmware to version 1.2.3 or later.", "Upgrade UDB\u2011Pro/UDB\u2011Pro\u2011Sector firmware to version 1.4.2 or later.", "Upgrade UBB firmware to version 3.1.7 or later.", "Place the devices behind a firewall that restricts outbound access and blocks unsolicited traffic.", "Segment the Wi\u2011Fi network and restrict which clients can communicate with the devices, using VLANs or MAC filtering."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Ubiquiti Inc\u2019s UBB\u2011XG, UBB, and UDB\u2011Pro/UDB\u2011Pro\u2011Sector devices are affected. Firmware versions up to UBB\u2011XG 1.2.2, UDB\u2011Pro/UDB\u2011Pro\u2011Sector 1.4.1, and UBB 3.1.5 are vulnerable. Applying any later firmware (UBB\u2011XG\u00a01.2.3+, UDB\u2011Pro/UDB\u2011Pro\u2011Sector\u00a01.4.2+, UBB\u00a03.1.7+) removes the flaw.", "description_and_impact": "Attacks from within Wi\u2011Fi coverage can exploit a flaw in the airMAX Wireless Protocol, allowing a malicious actor to inject commands that are executed with device privileges. The weakness, a path\u2011to\u2011command injection (CWE\u201177), opens the possibility for full control over the device, enabling data exfiltration, network disruption, or use as a pivot for further attacks.", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.8, indicating high severity, while the EPSS score of less than 1% suggests low current exploitation likelihood. Because the flaw is triggered by malicious traffic over the airMAX protocol, an attacker must be within wireless range and able to craft protocol packets. The risk is mitigated if the device is isolated from the external network or configured to minimize exposure."}}}}, "created": "2026-01-09T13:24:43.007954+00:00", "title": "Remote Code Execution via AirMAX Protocol in Ubiquiti Devices", "updated": "2026-04-18T07:45:24.978790+00:00", "vendors": ["ubiquiti", "ubiquiti$PRODUCT$ubb", "ubiquiti$PRODUCT$ubb-xg", "ubiquiti$PRODUCT$udb-pro", "ubiquiti$PRODUCT$udb-pro-sector"]}