CVE-2026-21638

High

Published: 08 January 2026

Published

08 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0021 43.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1…

and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of software flaws like this RCE vulnerability in the airMAX Wireless Protocol via firmware updates to patched versions.

SI-10 Information Input Validation good match

prevent

Directly mitigates the underlying command injection (CWE-77) by validating and restricting inputs to the airMAX Wireless Protocol to prevent arbitrary code execution.

AC-18 Wireless Access partial match

prevent

Establishes controls and restrictions on wireless access to the affected Ubiquiti products, limiting exposure to attackers in Wi-Fi range.

Security SummaryAI

CVE-2026-21638 is a remote code execution (RCE) vulnerability in the airMAX Wireless Protocol, affecting Ubiquiti networking products including UBB-XG (version 1.2.2 and earlier), UDB-Pro/UDB-Pro-Sector (version 1.4.1 and earlier), and UBB (version 3.1.5 and earlier). Published on January 8, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H) and is associated with CWE-77 (Command Injection).

A malicious actor within Wi-Fi range of an affected device can exploit the vulnerability over the adjacent network with low complexity, no privileges, and no user interaction required. Successful exploitation enables arbitrary code execution on the device, granting high impacts to confidentiality, integrity, and availability.

Ubiquiti's security advisory recommends mitigation by updating affected products to patched versions: UBB-XG to 1.2.3 or later, UDB-Pro/UDB-Pro-Sector to 1.4.2 or later, and UBB to 3.1.7 or later. Additional details are available at https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1.

Details

CWE(s): CWE-77

Affected Products

ubb-xg firmware

≤ 1.2.3

udb-pro firmware

≤ 1.4.2

udb-pro-sector firmware

≤ 1.4.2

ubb firmware

≤ 3.1.7

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection leading to remote code execution in the airMAX Wireless Protocol service on Ubiquiti networking devices, exploitable over the adjacent network without privileges, directly enabling Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1
Vendor Advisory · support@hackerone.com