CISA Warns Hackers Are Actively Exploiting Severe Ubiquiti Flaws

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has placed four vulnerabilities into its Known Exploited Vulnerabilities catalog, confirming they face active exploitation in real-world attacks.

CISA adds three Ubiquiti CVEs to KEV catalog. The issues consist of CVE-2026-34908, described as an access control bypass that lets unauthenticated attackers alter a UniFi OS system without permission and potentially seize full control; CVE-2026-34909, a directory traversal vulnerability that reportedly enables attackers to read sensitive operating system files including configuration data and credentials; and CVE-2026-34910, an improper input validation flaw that permits injection of arbitrary operating system commands, which could result in remote code execution. CISA added the three Ubiquiti flaws on June 23, 2026, according to Security Affairs and SecurityWeek reporting.

Ubiquiti issued patches for the three vulnerabilities in May, stating they "could be exploited remotely without privileges." Security researchers at Bishop Fox later showed the flaws can be combined to reach full remote code execution with elevated privileges on affected UniFi OS devices. Bishop Fox has also published a free detection script on GitHub to help defenders locate vulnerable systems.

Lantronix command injection flaw also added to catalog. The remaining entry is CVE-2025-67038, a critical-severity root-level command injection impacting Lantronix EDS5000 devices on firmware 2.1.0.0R3. The weakness sits inside the HTTP RPC module, which builds a shell command to record failed login attempts by directly inserting the supplied username without adequate sanitization.

Lantronix has issued a patch for CVE-2025-67038 and advises customers to move to EDS5000 version 2.2.0.0R1. CISA has not shared any details about the observed exploitation of any of the four flaws, while the "use in ransomware campaigns" flag was set to "Unknown" for all of them.

Federal agencies face three-day patching deadline. Per the BOD 26-04 directive, federal agencies have three days to deploy available security updates or vendor-recommended mitigations. Administrators responsible for the affected Ubiquiti UniFi OS and Lantronix products should implement the fixes and workarounds immediately.

CISA continues to expand its catalog as new vulnerabilities enter active exploitation, following recent alerts on bugs in Android, Linux, Cisco Unified CM, Splunk Enterprise, and a Joomla plugin.