Description
A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.



Affected Products:

airMAX AC (Version 8.7.20 and earlier)
airMAX M (Version 6.3.22 and earlier)
airFiber AF60-XG (Version 1.2.2 and earlier)
airFiber AF60 (Version 2.6.7 and earlier)



Mitigation:

Update your airMAX AC to Version 8.7.21 or later.
Update your airMAX M to Version 6.3.24 or later.
Update your airFiber AF60-XG to Version 1.2.3 or later.
Update your airFiber AF60 to Version 2.6.8 or later.
Published: 2026-01-08
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution
Action: Immediate patch
AI Analysis

Impact

The vulnerability allows a malicious actor within Wi‑Fi range of affected Ubiquiti devices to trigger remote code execution by sending specially crafted packets that exploit a flaw in the airMAX Wireless Protocol. The flaw can be abused to run arbitrary code on the device, potentially compromising confidentiality, integrity, and availability of the network. The issue is identified as CWE‑77 due to improper handling of command injection.

Affected Systems

Affected products include Ubiquiti airMAX AC, airMAX M, airFiber AF60‑XG, and airFiber AF60. Vulnerable firmware versions are airMAX AC 8.7.20 and earlier, airMAX M 6.3.22 and earlier, airFiber AF60‑XG 1.2.2 and earlier, and airFiber AF60 2.6.7 and earlier.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate severity; the EPSS score of less than 1% suggests a low probability of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote over the air interface, requiring an adversary in physical wireless proximity to the device. No known public exploits have been reported, but the reachable nature of the flaw warrants precaution.

Generated by OpenCVE AI on April 18, 2026 at 07:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update airMAX AC to firmware version 8.7.21 or later.
  • Update airMAX M to firmware version 6.3.24 or later.
  • Update airFiber AF60‑XG to firmware version 1.2.3 or later.
  • Update airFiber AF60 to firmware version 2.6.8 or later.

Generated by OpenCVE AI on April 18, 2026 at 07:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 08:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via airMAX Wireless Protocol in Ubiquiti AirMAX and AirFiber Devices

Wed, 14 Jan 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Ui
Ui airfiber Af60
Ui airfiber Af60-xg
Ui airfiber Af60-xg Firmware
Ui airfiber Af60 Firmware
Ui airmax Ac
Ui airmax Ac Firmware
Ui airmax M
Ui airmax M Firmware
CPEs cpe:2.3:h:ui:airfiber_af60-xg:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:airfiber_af60:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:airmax_ac:-:*:*:*:*:*:*:*
cpe:2.3:h:ui:airmax_m:-:*:*:*:*:*:*:*
cpe:2.3:o:ui:airfiber_af60-xg_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:airfiber_af60_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:airmax_ac_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:ui:airmax_m_firmware:*:*:*:*:*:*:*:*
Vendors & Products Ui
Ui airfiber Af60
Ui airfiber Af60-xg
Ui airfiber Af60-xg Firmware
Ui airfiber Af60 Firmware
Ui airmax Ac
Ui airmax Ac Firmware
Ui airmax M
Ui airmax M Firmware

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Ubiquiti
Ubiquiti airfiber Af60
Ubiquiti airfiber Af60 Xg
Ubiquiti airmax Ac
Ubiquiti airmax M
Vendors & Products Ubiquiti
Ubiquiti airfiber Af60
Ubiquiti airfiber Af60 Xg
Ubiquiti airmax Ac
Ubiquiti airmax M

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Description A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later.
References

Subscriptions

Ubiquiti Airfiber Af60 Airfiber Af60 Xg Airmax Ac Airmax M
Ui Airfiber Af60 Airfiber Af60-xg Airfiber Af60-xg Firmware Airfiber Af60 Firmware Airmax Ac Airmax Ac Firmware Airmax M Airmax M Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2026-01-08T17:21:53.724Z

Reserved: 2026-01-01T15:00:02.339Z

Link: CVE-2026-21639

cve-icon Vulnrichment

Updated: 2026-01-08T17:21:36.953Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T17:15:50.483

Modified: 2026-01-14T21:06:35.607

Link: CVE-2026-21639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses