CISA warns – CISA says hackers are actively exploiting vulnerabilities in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers, including three UniFi OS flaws CISA added to its Known Exploited Vulnerabilities catalog. Federal agencies have just three days to patch or
A warning arrived with urgency: CISA is telling the public that hackers are already exploiting flaws in widely deployed networking products from Ubiquiti and Lantronix. For system administrators, the message is blunt—this isn’t a theoretical risk sitting in a security bulletin. It’s an active problem.
The U.S. Cybersecurity and Infrastructure Security Agency says attackers are targeting vulnerabilities in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers. Under the BOD 26-04 directive, federal agencies have three days to apply available security updates or vendor-recommended mitigations.
CISA has added three Ubiquiti vulnerabilities to its catalog of Known Exploited Vulnerabilities:
CVE-2026-34908 is an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
CVE-2026-34909 is a directory/path traversal vulnerability that can let an attacker access sensitive files on the underlying operating system, potentially exposing configuration files, credentials, and other sensitive data that could facilitate account takeover.
CVE-2026-34910 is an improper input validation flaw that enables an attacker to inject and execute arbitrary operating system commands, potentially leading to remote code execution and complete system takeover.
Ubiquiti released security updates for all three flaws in May, warning that they could be exploited remotely without privileges.
Researchers at Bishop Fox later demonstrated that the three issues could be chained together to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices. To help defenders act quickly. Bishop Fox also released a free detection script on GitHub designed to help organizations discover vulnerable instances across their environments.
The Lantronix situation carries its own red flags. The security issue exploited in Lantronix servers is tracked as CVE-2025-67038. CISA describes it as a critical-severity root-level command injection affecting model EDS5000 running firmware 2.1.0.0R3.
CISA says the vulnerability is in the HTTP RPC module, which executes a shell command to log failed authentication attempts. The supplied username is concatenated directly into the shell command without proper sanitization, allowing an attacker to inject arbitrary operating system commands.
Lantronix has released a patch for CVE-2025-67038 and recommends upgrading EDS5000 to version 2.2.0.0R1.
CISA has not provided details about the observed exploitation of any of the four flaws. For all four, the “use in ransomware campaigns” flag was set to “Unknown.”
System administrators handling the affected products are being urged to apply the available updates and/or suggested mitigations as soon as possible, given CISA’s warning that exploitation is already underway.
CISA Ubiquiti UniFi OS Lantronix CVE-2026-34908 CVE-2026-34909 CVE-2026-34910 CVE-2025-67038 Known Exploited Vulnerabilities cybersecurity alerts remote code execution command injection