CVE-2026-21639 - Vulnerability Details

A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product.

Affected Products:

airMAX AC (Version 8.7.20 and earlier)
airMAX M (Version 6.3.22 and earlier)
airFiber AF60-XG (Version 1.2.2 and earlier)
airFiber AF60 (Version 2.6.7 and earlier)

Mitigation:

Update your airMAX AC to Version 8.7.21 or later.
Update your airMAX M to Version 6.3.24 or later.
Update your airFiber AF60-XG to Version 1.2.3 or later.
Update your airFiber AF60 to Version 2.6.8 or later.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable no

Technical Impact partial

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Ubiquiti Inc

airMAX AC

unaffected

Version	Status	Constraints
`0`	affected	< 8.7.21

Ubiquiti Inc

airMAX M

unaffected

Version	Status	Constraints
`0`	affected	< 6.3.24

Ubiquiti Inc

airFiber AF60-XG

unaffected

Version	Status	Constraints
`0`	affected	< 1.2.3

Ubiquiti Inc

airFiber AF60

unaffected

Version	Status	Constraints
`0`	affected	< 2.6.8

Configuration 1 [-]

AND

cpe:2.3:o:ui:airmax_ac_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ui:airmax_ac:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:ui:airmax_m_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ui:airmax_m:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:ui:airfiber_af60-xg_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ui:airfiber_af60-xg:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:ui:airfiber_af60_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:ui:airfiber_af60:-:*:*:*:*:*:*:*

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Ubiquiti Subscribe	Airfiber Af60 Subscribe Airfiber Af60 Xg Subscribe Airmax Ac Subscribe Airmax M Subscribe

Project Subscriptions

Vendors	Products
Ubiquiti Subscribe	Airfiber Af60 Subscribe Airfiber Af60 Xg Subscribe Airmax Ac Subscribe Airmax M Subscribe
Ui Subscribe	Airfiber Af60 Subscribe Airfiber Af60-xg Subscribe Airfiber Af60-xg Firmware Subscribe Airfiber Af60 Firmware Subscribe Airmax Ac Subscribe Airmax Ac Firmware Subscribe Airmax M Subscribe Airmax M Firmware Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://community.ui.com/releases/Security-Advisory-Bulletin-061-061/1e4fe5f8-29c7-4a7d-a518-01b1537983ba

History

Wed, 14 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ui Ui airfiber Af60 Ui airfiber Af60-xg Ui airfiber Af60-xg Firmware Ui airfiber Af60 Firmware Ui airmax Ac Ui airmax Ac Firmware Ui airmax M Ui airmax M Firmware
CPEs		cpe:2.3:h:ui:airfiber_af60-xg:-:::::::* cpe:2.3:h:ui:airfiber_af60:-:::::::* cpe:2.3:h:ui:airmax_ac:-:::::::* cpe:2.3:h:ui:airmax_m:-:::::::* cpe:2.3:o:ui:airfiber_af60-xg_firmware:::::::: cpe:2.3:o:ui:airfiber_af60_firmware:::::::: cpe:2.3:o:ui:airmax_ac_firmware:::::::: cpe:2.3:o:ui:airmax_m_firmware::::::::
Vendors & Products		Ui Ui airfiber Af60 Ui airfiber Af60-xg Ui airfiber Af60-xg Firmware Ui airfiber Af60 Firmware Ui airmax Ac Ui airmax Ac Firmware Ui airmax M Ui airmax M Firmware

Fri, 09 Jan 2026 13:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Ubiquiti Ubiquiti airfiber Af60 Ubiquiti airfiber Af60 Xg Ubiquiti airmax Ac Ubiquiti airmax M
Vendors & Products		Ubiquiti Ubiquiti airfiber Af60 Ubiquiti airfiber Af60 Xg Ubiquiti airmax Ac Ubiquiti airmax M

Thu, 08 Jan 2026 18:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-77
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 08 Jan 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		A malicious actor in Wi-Fi range of the affected product could leverage a vulnerability in the airMAX Wireless Protocol to achieve a remote code execution (RCE) within the affected product. Affected Products: airMAX AC (Version 8.7.20 and earlier) airMAX M (Version 6.3.22 and earlier) airFiber AF60-XG (Version 1.2.2 and earlier) airFiber AF60 (Version 2.6.7 and earlier) Mitigation: Update your airMAX AC to Version 8.7.21 or later. Update your airMAX M to Version 6.3.24 or later. Update your airFiber AF60-XG to Version 1.2.3 or later. Update your airFiber AF60 to Version 2.6.8 or later.
References		https://community.ui.com/releases/Security-Advisory-Bulletin-061-061/1e4fe5f8-29c7-4a7d-a518-01b1537983ba

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2026-01-08T16:14:22.626Z

Updated: 2026-01-08T17:21:53.724Z

Reserved: 2026-01-01T15:00:02.339Z

Link: CVE-2026-21639

Vulnrichment

Updated: 2026-01-08T17:21:36.953Z

NVD

Status : Analyzed

Published: 2026-01-08T17:15:50.483

Modified: 2026-01-14T21:06:35.607

Link: CVE-2026-21639

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-01-09T13:24:54Z

Weaknesses

CWE-77

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Project Subscriptions

Projects

JSON object

JSON object

JSON object

JSON object

JSON object