PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-12636 Ubia CVE debrief

A medium-severity vulnerability in the Ubia camera ecosystem allows attackers to gain unauthorized access to live camera feeds and modify settings by exploiting inadequately secured API credentials. The issue affects both Android and iOS versions of the Ubox application. Ubia has implemented a backend fix that requires no user action to apply; however, users on older app versions may experience reduced functionality and should update to Ubox Android 1.1.306 or Ubox iOS 1.1.90 or later for full compatibility.

Vendor
Ubia
Product
Ubox Android
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2025-11-06
Original CVE updated
2026-02-03
Advisory published
2025-11-06
Advisory updated
2026-02-03

Who should care

Organizations and individuals using Ubia Ubox camera systems for physical security monitoring, particularly those with remote access requirements or multi-user deployments.

Technical summary

The Ubia camera ecosystem fails to adequately secure API credentials, potentially enabling an attacker to connect to backend services and gain unauthorized access to available cameras for viewing live feeds or modifying settings. CVSS 3.1 score: 6.5 (Medium). Attack vector: network, attack complexity: low, privileges required: low, user interaction: none. Scope: unchanged, confidentiality impact: high, integrity impact: none, availability impact: none.

Defensive priority

medium

Recommended defensive actions

  • Update Ubox Android to version 1.1.306 or newer
  • Update Ubox iOS to version 1.1.90 or newer
  • Verify camera access controls and review account activity for unauthorized access
  • Apply network segmentation for IoT camera deployments per CISA ICS recommended practices

Evidence notes

CISA published advisory ICSA-25-310-02 on 2025-11-06, with Update A released on 2026-02-03 revising affected products and mitigations. The vulnerability was resolved through a backend fix per vendor confirmation in the CSAF advisory.

Official resources

2025-11-06