CVE-2026-21638

High

Published: 08 January 2026

Published

08 January 2026

Modified

14 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0022 45.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-21638 is a high-severity Command Injection (CWE-77) vulnerability in Ui Ubb-Xg Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely identification, reporting, and correction of software flaws like this RCE vulnerability in the airMAX Wireless Protocol via firmware updates to patched versions.

SI-10 Information Input Validation good match

prevent

Directly mitigates the underlying command injection (CWE-77) by validating and restricting inputs to the airMAX Wireless Protocol to prevent arbitrary code execution.

AC-18 Wireless Access partial match

prevent

Establishes controls and restrictions on wireless access to the affected Ubiquiti products, limiting exposure to attackers in Wi-Fi range.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a command injection leading to remote code execution in the airMAX Wireless Protocol service on Ubiquiti networking devices, exploitable over the adjacent network without privileges, directly enabling Exploitation of Remote Services (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: UBB-XG (Version 1.2.2 and earlier) UDB-Pro/UDB-Pro-Sector (Version 1.4.1…

and earlier) UBB (Version 3.1.5 and earlier) Mitigation: Update your UBB-XG to Version 1.2.3 or later. Update your UDB-Pro/UDB-Pro-Sector to Version 1.4.2 or later. Update your UBB to Version 3.1.7 or later.

Deeper analysisAI

CVE-2026-21638 is a remote code execution (RCE) vulnerability in the airMAX Wireless Protocol, affecting Ubiquiti networking products including UBB-XG (version 1.2.2 and earlier), UDB-Pro/UDB-Pro-Sector (version 1.4.1 and earlier), and UBB (version 3.1.5 and earlier). Published on January 8, 2026, it carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H) and is associated with CWE-77 (Command Injection).

A malicious actor within Wi-Fi range of an affected device can exploit the vulnerability over the adjacent network with low complexity, no privileges, and no user interaction required. Successful exploitation enables arbitrary code execution on the device, granting high impacts to confidentiality, integrity, and availability.

Ubiquiti's security advisory recommends mitigation by updating affected products to patched versions: UBB-XG to 1.2.3 or later, UDB-Pro/UDB-Pro-Sector to 1.4.2 or later, and UBB to 3.1.7 or later. Additional details are available at https://community.ui.com/releases/Security-Advisory-Bulletin-060-060/cde18da7-2bc4-41bb-a9cc-48a4a4c479c1.