CVE-2026-21635 Overview
An Improper Access Control vulnerability has been identified in Ubiquiti's EV Station Lite electric vehicle charging station. This firmware vulnerability allows a malicious actor within Wi-Fi range to exploit the WiFi AutoLink feature on devices that were originally configured and adopted exclusively via Ethernet connection.
The vulnerability stems from insufficient access control validation in the WiFi AutoLink functionality, which fails to properly verify the original network adoption method before allowing wireless configuration changes. This could enable unauthorized network access to the charging station's management interface.
Critical Impact
Attackers within adjacent network range can exploit the WiFi AutoLink feature to gain unauthorized access to EV Station Lite devices, potentially exposing sensitive configuration data and network credentials.
Affected Products
- Ubiquiti EV Station Lite firmware v1.5.2 and earlier versions
Discovery Timeline
- 2026-01-05 - CVE CVE-2026-21635 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2026-21635
Vulnerability Analysis
This vulnerability is classified as CWE-284 (Improper Access Control), indicating a fundamental flaw in how the EV Station Lite validates access permissions for its WiFi AutoLink feature. The issue arises because the firmware does not maintain a persistent record of the original adoption method (Ethernet vs. WiFi) or fails to enforce access restrictions based on this adoption context.
When a device is adopted via Ethernet, it should logically restrict wireless management capabilities to prevent unauthorized access from the wireless attack surface. However, the current implementation allows the WiFi AutoLink feature to remain accessible regardless of the adoption method, creating an unintended entry point for attackers within radio proximity.
The adjacent network attack vector means an attacker must be within Wi-Fi range of the vulnerable device, limiting exploitation to physical proximity scenarios such as parking facilities, residential areas, or commercial charging stations.
Root Cause
The root cause is improper access control implementation in the WiFi AutoLink subsystem. The firmware fails to implement adequate verification logic that would restrict WiFi-based configuration changes on devices adopted exclusively through wired Ethernet connections. This design oversight allows the wireless interface to accept configuration requests even when the device's adoption state indicates Ethernet-only management should be enforced.
Attack Vector
The attack vector requires the malicious actor to be within Wi-Fi radio range of a vulnerable EV Station Lite device. Once in range, the attacker can interact with the WiFi AutoLink feature to potentially:
- Establish an unauthorized connection to the device's management interface
- Access sensitive configuration data including network credentials
- Modify device settings or network configurations
- Potentially pivot to other devices on the connected network
The attack complexity is considered high as it requires specific conditions to be met, including physical proximity and the target device having been adopted via Ethernet while the WiFi AutoLink feature remains active.
Detection Methods for CVE-2026-21635
Indicators of Compromise
- Unexpected WiFi connection attempts or successful associations to EV Station Lite devices
- Unauthorized configuration changes to EV Station Lite network settings
- Unusual wireless traffic patterns originating from or directed at EV charging stations
- Unexplained changes to WiFi AutoLink settings or network credentials
Detection Strategies
- Monitor wireless network logs for unauthorized connection attempts to EV Station Lite devices
- Implement network segmentation monitoring to detect anomalous traffic patterns from IoT/EV charging infrastructure
- Review device configuration audit logs for unauthorized changes to network adoption settings
- Deploy wireless intrusion detection systems (WIDS) near EV charging infrastructure to identify rogue access attempts
Monitoring Recommendations
- Enable logging on all EV Station Lite devices and centralize log collection for analysis
- Configure alerts for any configuration changes to WiFi AutoLink settings
- Implement regular firmware version audits to ensure devices are running patched versions
- Monitor for unusual wireless activity in areas with deployed EV charging stations
How to Mitigate CVE-2026-21635
Immediate Actions Required
- Review all deployed EV Station Lite devices to identify units running firmware v1.5.2 or earlier
- Disable the WiFi AutoLink feature on devices adopted via Ethernet until patches are applied
- Implement network segmentation to isolate EV charging infrastructure from critical network resources
- Monitor wireless network activity around EV Station Lite installations for suspicious behavior
Patch Information
Ubiquiti has released a security advisory addressing this vulnerability. Organizations should consult the Ubiquiti Security Advisory Bulletin for official patch information and updated firmware downloads.
Administrators should prioritize updating all affected EV Station Lite devices to the latest firmware version as recommended by Ubiquiti.
Workarounds
- Disable WiFi AutoLink feature on all Ethernet-adopted EV Station Lite devices via the management interface
- Implement physical security controls to limit unauthorized access to areas within Wi-Fi range of charging stations
- Configure wireless access control lists (ACLs) to restrict management access to known, authorized MAC addresses
- Deploy EV charging stations in locations with limited public wireless access where feasible
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
