Ubia Ubox (Update A)

MonitorCVSS 6.5ICS-CERT ICSA-25-310-02Nov 6, 2025

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A credential storage vulnerability (CWE-522) in Ubox mobile applications allows authenticated attackers to remotely view camera feeds or modify device settings. The vulnerability affects Ubox Android versions before 1.1.306 and Ubox iOS versions before 1.1.90. Ubia has resolved this issue through a backend fix, though updating mobile applications to the specified versions is recommended for full compatibility and reduced functionality issues.

What this means

What could happen

An attacker with valid credentials could remotely access camera feeds or modify device settings on mobile devices running older Ubox versions, potentially disrupting surveillance operations.

Who's at risk

Organizations operating mobile-based surveillance or monitoring systems via Ubox applications, including security teams, building management systems, and facilities monitoring operations relying on iOS or Android mobile access to camera systems and device controls.

How it could be exploited

An attacker with legitimate user credentials could authenticate to the Ubox mobile application and exploit improper credential storage or handling to access camera feeds without authorization or change device configuration settings.

Prerequisites

Valid Ubox user account credentials
Network connectivity to Ubox backend service
Mobile device running affected Ubox Android or iOS version

remotely exploitableaffects surveillance systemscredential-based attackrequires valid user account

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Ubox Android: <January_15_2026<January 15 20261.1.306

Ubox IOS: <January_15_2026<January 15 20261.1.90

Remediation & Mitigation

0/2

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Ubox Android to version 1.1.306 or later

HOTFIXUpdate Ubox iOS to version 1.1.90 or later

CVEs (1)

CVE-2025-12636

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/83832fc0-50a5-471b-a21f-3da451a1975f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.