What vulnerabilities were added to CISA's Known Exploited Vulnerabilities catalog?

CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 in Ubiquiti's UniFi OS software and CVE-2025-67038 in Lantronix's EDS5000 serial-to-ethernet servers.

What is the deadline for federal agencies to patch these vulnerabilities?

June 26, 2026, as per CISA's Binding Operational Directive (BOD) 22-01.

Why are these vulnerabilities concerning for businesses and enterprises?

They allow an attacker to gain complete control over the devices, allowing them to access sensitive data and take other malicious actions.

Four Active Vulnerabilities Affect Ubiquiti UniFi OS and Lantronix EDS5000 Devices - CISA

Q: What is the severity of the vulnerability in Lantronix's EDS5000 servers?

It is a critical-severity root-level command injection.

CISA adds four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, affecting devices from Ubiquiti and Lantronix. The bugs are being used by hackers and have been added to the catalog on June 23, 2026.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, affecting Ubiquiti UniFi OS and Lantronix EDS5000 devices. The bugs were discovered in May and June of this year, with CISA warning that they are being actively exploited by hackers.

The four vulnerabilities include three in Ubiquiti's UniFi OS software: CVE-2026-34908, an improper access control vulnerability; CVE-2026-34909, a path traversal vulnerability; and CVE-2026-34910, an improper input validation flaw. The fourth vulnerability is in Lantronix's EDS5000 serial-to-ethernet servers, tracked as CVE-2025-67038, which is a critical-severity root-level command injection affecting model EDS5000 running firmware 2.1.0.0R3.

What Happened

The vulnerabilities were discovered in May and June of this year, with CISA warning that they are being actively exploited by hackers. The agency added the four flaws to its Known Exploited Vulnerabilities catalog on June 23, 2026, setting a deadline for federal agencies to patch the vulnerabilities by June 26, 2026.

According to CISA's Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have three days to apply available security updates or vendor-recommended mitigations. The directive also recommends that private organizations review the catalog and address the vulnerabilities in their infrastructure.

Background and Context

The Ubiquiti UniFi OS software is used by many businesses and enterprises for network management, while the Lantronix EDS5000 serial-to-ethernet servers are used for remote access to devices. The vulnerabilities affect a wide range of devices, including Ubiquiti's UDM, UDM-Pro, UDM-SE, UDM-Pro-Max, and UNVR, as well as Lantronix's EDS5000, EDS5016, and EDS5032 models.

The CVE-2025-67038 vulnerability in Lantronix's EDS5000 servers is particularly concerning, as it allows an attacker to inject arbitrary operating system commands with root privileges. This means that an attacker can gain complete control over the device, allowing them to access sensitive data and take other malicious actions.

Why It Matters to the Industry

The vulnerabilities in Ubiquiti's UniFi OS software and Lantronix's EDS5000 servers are particularly concerning for businesses and enterprises that rely on these devices for network management and remote access. The fact that the vulnerabilities are being actively exploited by hackers means that companies need to take immediate action to patch their systems and protect themselves from attack.

The industry should also be concerned about the potential impact of these vulnerabilities on data security and integrity. If an attacker gains control over a device, they can potentially access sensitive data and disrupt business operations. This highlights the importance of regular security updates and patches for critical infrastructure devices.

What Comes Next

CISA has set a deadline for federal agencies to patch the vulnerabilities by June 26, 2026. Private organizations are also recommended to review the catalog and address the vulnerabilities in their infrastructure as soon as possible.

The industry should take immediate action to patch their systems and protect themselves from attack. This includes updating UniFi OS software to version 5.0.8 or later and Lantronix's EDS5000 firmware to version 2.2.0.0R1. Companies should also restrict management access to trusted networks and monitor logs for odd requests and new admin changes.

Key Facts

CISA added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, affecting Ubiquiti UniFi OS and Lantronix EDS5000 devices.
The three vulnerabilities in Ubiquiti's UniFi OS software have a CVSS base score of 10.0, while the vulnerability in Lantronix's EDS5000 servers has a CVSS base score of 9.8.
The vulnerabilities allow an attacker to gain complete control over devices, access sensitive data, and disrupt business operations.
CISA set a deadline for federal agencies to patch the vulnerabilities by June 26, 2026.
Private organizations are recommended to review the catalog and address the vulnerabilities in their infrastructure as soon as possible.