ZDI-26-128: (Pwn2Own) Ubiquiti Networks AI Pro Uncaught Exception Denial-of-Service Vulnerability

• Advisory Details (Pwn2Own) Ubiquiti Networks AI Pro Uncaught Exception Denial-of-Service Vulnerability ZDI-26-128ZDI-CAN-28824 This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Ubiquiti Networks AI Pro • Authentication is not required to exploit this vulnerability • The specific flaw exists within the parsing of WebSocket headers • The issue results from the lack of proper validation of user-supplied data, which can result in an uncaught exception • An attacker can leverage this vulnerability to create a denial-of-service condition on the system • 2026-02-05 - Vulnerability reported to vendor 2026-02-25 - Coordinated public release of advisory 2026-02-25 - Advisory Updated General Inquiries Find us on X Find us on Mastodon Media Inquiries Sensitive Email Communications Our Mission TrendAI TippingPoint IPS Process Researcher Rewards FAQS Privacy Published Advisories Upcoming Advisories RSS Feeds

Advisory Details (Pwn2Own) Ubiquiti Networks AI Pro Discovery Protocol Missing Encryption Protocol Downgrade Vulnerability ZDI-26-126ZDI-CAN-28274 This vulnerability allows network-adjacent attackers to downgrade the communi

Article Summaries:

• CVE ID | CVE-2026-21634 | CVSS SCORE | 6.5, AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H | AFFECTED VENDORS | Ubiquiti Networks | AFFECTED PRODUCTS | AI Pro | VULNERABILITY DETAILS | This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Ubiquiti Networks AI Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the parsing of WebSocket headers. The issue results from the lack of proper validation of user-supplied data, which can result in an uncaught exception. An attacker can leverage this v
• CVE ID | CVE-2026-21633 | CVSS SCORE | 5.4, AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | AFFECTED VENDORS | Ubiquiti Networks | AFFECTED PRODUCTS | AI Pro | VULNERABILITY DETAILS | This vulnerability allows network-adjacent attackers to downgrade the communication protocol on affected installations of Ubiquiti Networks AI Pro. Authentication is not required to exploit this vulnerability. The specific flaw exists within the discovery protocol. The issue results from the lack of encryption in the communications channel. An attacker can leverage this vulnerability to downgrade the communication protocol

Sources:

• http://www.zerodayinitiative.com/advisories/ZDI-26-128/
• http://www.zerodayinitiative.com/advisories/ZDI-26-126/ (Latest source article published: 2026-02-25 06:00 UTC)