CVE-2026-21635 is an improper access control vulnerability discovered in Ubiquiti Inc's UniFi Connect EV Station Lite, specifically versions 1.5.2 and earlier. The flaw allows an attacker within Wi-Fi range to leverage the WiFi AutoLink feature on devices that were originally adopted and intended to be managed solely via Ethernet connections. This means that despite the device's configuration to restrict management access to Ethernet, the vulnerability enables unauthorized Wi-Fi based access. The vulnerability does not require any privileges or user interaction, making it easier for attackers to exploit if they are within wireless range. The CVSS v3.1 score of 5.3 reflects a medium severity, with the vector indicating attack vector as adjacent network (Wi-Fi), high attack complexity, no privileges required, no user interaction, unchanged scope, and high confidentiality impact but no impact on integrity or availability. The vulnerability could allow attackers to access sensitive configuration or operational data from the EV Station Lite, potentially leading to information disclosure or further network reconnaissance. No public exploits have been reported yet, but the presence of this vulnerability in a critical EV charging infrastructure device raises concerns about unauthorized access and data leakage. The lack of available patches at the time of reporting necessitates immediate attention from affected organizations to implement compensating controls.

For European organizations, this vulnerability poses a risk of unauthorized access to EV charging infrastructure management interfaces via Wi-Fi, even when devices are configured for Ethernet-only management. This could lead to exposure of sensitive operational data, including charging schedules, user data, or network configuration details. Such data leakage could facilitate further attacks on the organization's network or disrupt EV charging services. Given the increasing adoption of electric vehicles and associated charging infrastructure across Europe, especially in countries with strong EV markets and green energy initiatives, this vulnerability could impact critical infrastructure availability and trust. Confidentiality breaches could undermine user privacy and organizational security policies. While the vulnerability does not directly impact integrity or availability, the potential for information disclosure and subsequent attacks elevates the risk profile. Organizations relying on UniFi Connect EV Station Lite devices should consider the threat significant enough to warrant immediate mitigation to prevent lateral movement or reconnaissance by attackers within Wi-Fi range.

1. Apply vendor patches immediately once available to address the improper access control issue in UniFi Connect EV Station Lite firmware. 2. Until patches are released, disable the WiFi AutoLink feature if possible to prevent unauthorized Wi-Fi based access. 3. Implement strict network segmentation to isolate EV charging stations from general enterprise networks, limiting Wi-Fi access to trusted devices only. 4. Use strong Wi-Fi security protocols (WPA3) and enforce MAC address filtering to restrict wireless access to authorized devices. 5. Monitor wireless networks for unauthorized devices attempting to connect or probe the EV Station Lite devices. 6. Conduct regular security audits of EV infrastructure to detect anomalous access patterns. 7. Educate operational technology (OT) teams about the risks of Wi-Fi based attacks and ensure coordination with IT security teams for comprehensive defense. 8. Consider physical security controls to limit attacker proximity to EV charging stations, reducing the risk of Wi-Fi exploitation. 9. Maintain up-to-date asset inventories to quickly identify affected devices and prioritize remediation efforts.