The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.
According to the BOD 26-04 directive, federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:
- CVE-2026-34908: an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
- CVE-2026-34909: a directory/path traversal vulnerability that allows an attacker to access sensitive files on the underlying operating system, potentially exposing configuration files, credentials, and other sensitive data that could facilitate account takeover.
- CVE-2026-34910: an improper input validation flaw that enables an attacker to inject and execute arbitrary operating system commands, potentially leading to remote code execution and complete system takeover.
Ubiquiti released security updates for the three vulnerabilities in May, warning that they could be exploited remotely without privileges.
Researchers at Bishop Fox later demonstrated that the three flaws could be chained to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices.
Bishop Fox has also released a free detection script on GitHub to help defenders discover vulnerable instances in their environment.
The security issue exploited in Lantronix servers is tracked as CVE-2025-67038, and is a critical-severity root-level command injection affecting model EDS5000 running firmware 2.1.0.0R3.
The vulnerability exists in the HTTP RPC module, which executes a shell command to log failed authentication attempts.
The supplied username is concatenated directly into the shell command without proper sanitization, allowing an attacker to inject arbitrary operating system commands.
Lantronix released a released a patch for CVE-2025-67038 and recommends users to upgrade to EDS5000 version 2.2.0.0R1.
CISA has not shared any details about the observed exploitation of any of the four flaws, while the “use in ransomware campaigns” flag was set to “Unknown” for all of them.
System administrators managing the above products are recommended to apply the available updates and/or suggested mitigations as soon as possible.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
