CVE-2026-21635 is an improper access control vulnerability found in Ubiquiti Inc's UniFi Connect EV Station Lite, specifically versions 1.5.2 and earlier. The vulnerability arises from the WiFi AutoLink feature, which is intended to facilitate device connectivity. However, a malicious actor within Wi-Fi range can exploit this feature to gain unauthorized access to a device that was initially adopted via Ethernet, bypassing intended network segmentation controls. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS v3.1 base score is 5.3, indicating a medium severity level, with the vector AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack requires adjacent network access (Wi-Fi range), high attack complexity, no privileges or user interaction, and impacts confidentiality but not integrity or availability. The flaw is classified under CWE-284 (Improper Access Control), highlighting a failure to enforce proper permissions. No patches or exploits are currently reported, but the vulnerability could allow attackers to intercept or manipulate sensitive data or configurations on the EV Station Lite device. Given the role of EV charging stations in critical infrastructure and the increasing deployment of IoT devices in energy and transportation sectors, this vulnerability poses a tangible risk to operational security.

For European organizations, this vulnerability could lead to unauthorized access to EV charging station devices, potentially exposing sensitive operational data or enabling attackers to manipulate device configurations. This could disrupt EV charging services or compromise user privacy. The confidentiality impact is high, as attackers may intercept or access sensitive information. Although the vulnerability does not affect integrity or availability directly, unauthorized access could be a stepping stone for further attacks on network infrastructure. Organizations operating EV charging infrastructure, especially those using Ubiquiti UniFi Connect EV Station Lite devices, face increased risk of localized attacks from adversaries within Wi-Fi range. This is particularly concerning in public or semi-public charging locations where Wi-Fi access is less controlled. The medium CVSS score reflects moderate risk, but the potential impact on critical infrastructure and user trust elevates the importance of addressing this vulnerability promptly.

1. Monitor Ubiquiti's official channels for firmware updates or patches addressing CVE-2026-21635 and apply them immediately upon release. 2. Restrict Wi-Fi access to EV Station Lite devices by implementing strong Wi-Fi network segmentation and access control lists (ACLs) to limit connections only to authorized devices. 3. Disable the WiFi AutoLink feature if it is not essential for operations, reducing the attack surface. 4. Conduct regular security audits and penetration testing on EV charging infrastructure to detect unauthorized access attempts. 5. Deploy network monitoring tools capable of detecting anomalous Wi-Fi activity around EV charging stations. 6. Educate operational staff about the risks of Wi-Fi based attacks and enforce physical security measures to limit attacker proximity. 7. Consider using VPNs or encrypted tunnels for management traffic to the EV Station Lite devices to protect confidentiality. 8. Collaborate with Ubiquiti support for guidance on secure configuration best practices specific to the EV Station Lite product.