OTPulse
FeedAboutContact

Ubia Ubox (Update A)

Monitor6.5ICS-CERT ICSA-25-310-02Nov 6, 2025
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

Ubia Ubox contains a credential-related vulnerability (CWE-522) that could allow an authenticated attacker to remotely view camera feeds or modify device settings without proper authorization. The vulnerability affects Ubox Android versions prior to 1.1.306 and Ubox iOS versions prior to 1.1.90. Ubia has resolved the issue through a backend fix and recommends updating to the specified versions for full compatibility and reduced functionality issues.

What this means
What could happen
An attacker with valid credentials could remotely view live camera feeds or modify device settings without authorization, potentially exposing surveillance footage or disrupting monitoring operations.
Who's at risk
Water authorities and utilities using Ubia Ubox for remote camera monitoring and device management. This affects organizations managing surveillance systems through mobile applications for asset monitoring, physical security, or operational oversight.
How it could be exploited
An attacker with valid login credentials could access the Ubox application over the network and request unauthorized access to camera feeds or settings through an authentication bypass or privilege escalation in the app's API. The vulnerability allows this without additional user interaction.
Prerequisites
  • Valid Ubox application login credentials
  • Network access to Ubox backend API
  • Ubox Android or iOS application installed on a mobile device
remotely exploitableauthentication required (valid credentials needed)low complexityno patch required (backend fix deployed)affects monitoring/surveillance systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Ubox Android: <January_15_2026<January 15 20261.1.306
Ubox IOS: <January_15_2026<January 15 20261.1.90
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGMonitor user access to camera feeds and settings for unauthorized activity
HARDENINGEnforce strong, unique passwords for all Ubox application accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Ubox Android to Version 1.1.306 or later
HOTFIXUpdate Ubox iOS to Version 1.1.90 or later
Long-term hardening
0/1
HARDENINGRestrict network access to Ubox backend API to trusted administrative networks only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/83832fc0-50a5-471b-a21f-3da451a1975f