CISA is warning that hackers are actively exploiting critical flaws in Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-ethernet servers, prompting urgent patching under BOD 26-04. The issues include remote code execution, access control bypass, and path traversal bugs that can lead to full system compromise and sensitive data exposure. #Ubiquiti #UniFiOS #Lantronix #EDS5000 #CVE-2026-34908 #CVE-2026-34909 #CVE-2026-34910 #CVE-2025-67038
Keypoints
- CISA added three Ubiquiti UniFi OS flaws to its Known Exploited Vulnerabilities catalog.
- The Ubiquiti bugs can enable unauthorized changes, sensitive file access, and remote code execution.
- Ubiquiti released fixes in May, and Bishop Fox later showed the flaws can be chained for full RCE.
- Lantronix EDS5000 firmware 2.1.0.0R3 is affected by CVE-2025-67038, a root-level command injection bug.
- CISA urges federal agencies and system administrators to patch or mitigate these issues immediately.