The US Cybersecurity and Infrastructure Security Agency (CISA) has added multiple Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, warning that at least one of the flaws is being actively exploited in the wild. The agency has ordered federal agencies to apply vendor-provided mitigations or discontinue use of affected UniFi OS products by June 26, 2026.
What Happened
CISA added four vulnerabilities to its KEV catalog: CVE-2025-67038, a code injection vulnerability in Lantronix EDS5000 servers; and three Ubiquiti UniFi OS flaws: CVE-2026-34908, an improper access control vulnerability; CVE-2026-34909, a path traversal vulnerability; and CVE-2026-34910, an improper input validation vulnerability. The agency warned that these vulnerabilities are being actively exploited in the wild.
The most critical issue is CVE-2026-34908, which allows an attacker with network access to make unauthorized changes to the system, potentially altering configurations, disabling security controls, or manipulating network behavior within affected environments. CISA notes that stakeholders must assess each asset's internet exposure and ensure updates are prioritized based on risk, especially where UniFi management interfaces are reachable from untrusted networks.
Background and Context
Ubiquiti released security updates for the three vulnerabilities in May, warning that they could be exploited remotely without privileges. Researchers at Bishop Fox later demonstrated that the three flaws could be chained to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices.
Bishop Fox has also released a free detection script on GitHub to help defenders discover vulnerable instances in their environment. The security issue exploited in Lantronix servers is tracked as CVE-2025-67038, and is a critical-severity root-level command injection affecting model EDS5000 running firmware 2.1.0.0R3.
Why it Matters to the Industry
The exploitation of these vulnerabilities could have significant consequences for adult-industry platforms and operators. If left unpatched, these flaws could allow attackers to gain unauthorized access to sensitive data, manipulate network behavior, or even take control of entire systems. The industry relies heavily on robust security measures to protect against such threats.
The use of Ubiquiti UniFi OS devices is widespread in the adult industry, particularly for managing infrastructure and centrally integrating networks. A successful compromise could allow attackers to move laterally into enterprise environments, putting sensitive data at risk. The industry must prioritize patching these vulnerabilities as soon as possible to prevent potential attacks.
What Comes Next
CISA has ordered federal agencies to apply vendor-provided mitigations or discontinue use of affected UniFi OS products by June 26, 2026. Private organizations are also urged to review the KEV catalog and address the vulnerabilities in their infrastructure. The agency recommends that stakeholders assess each asset's internet exposure and ensure updates are prioritized based on risk.
Key Facts
- CVE-2025-67038: Lantronix EDS5000 code injection vulnerability
- CVE-2026-34908: Ubiquiti UniFi OS improper access control vulnerability
- CVE-2026-34909: Ubiquiti UniFi OS path traversal vulnerability
- CVE-2026-34910: Ubiquiti UniFi OS improper input validation vulnerability
- Ubiquiti released security updates for the three vulnerabilities in May
- Bishop Fox has released a free detection script on GitHub to help defenders discover vulnerable instances
- CISA has ordered federal agencies to apply vendor-provided mitigations or discontinue use of affected UniFi OS products by June 26, 2026
