What happened
CISA warned that hackers are actively exploiting vulnerabilities affecting Ubiquiti UniFi OS and Lantronix serial-to-Ethernet servers.
The agency added three Ubiquiti UniFi OS vulnerabilities to its Known Exploited Vulnerabilities catalog. Under CISA’s BOD 26-04 directive, federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti vulnerabilities are tracked as CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910.
CVE-2026-34908 is an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system. Successful exploitation could lead to full system compromise.
CVE-2026-34909 is a directory or path traversal vulnerability that allows an attacker to access sensitive files on the underlying operating system. This could expose configuration files, credentials, and other sensitive data that may support account takeover.
CVE-2026-34910 is an improper input validation flaw that allows an attacker to inject and execute arbitrary operating system commands. Successful exploitation could lead to remote code execution and complete system takeover.
Ubiquiti released security updates for the three vulnerabilities in May and warned that they could be exploited remotely without privileges.
Researchers later demonstrated that the three flaws could be chained to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices. A free detection script has also been released to help defenders identify vulnerable instances.
CISA also warned about active exploitation of CVE-2025-67038, a critical root-level command injection vulnerability affecting Lantronix EDS5000 serial-to-Ethernet servers running firmware 2.1.0.0R3.
The Lantronix flaw exists in the HTTP RPC module, which executes a shell command to log failed authentication attempts. Because the username is directly concatenated into the command without proper sanitization, an attacker can inject arbitrary operating system commands.
Lantronix has released a patch and recommends upgrading affected EDS5000 devices to version 2.2.0.0R1.
CISA did not share details about the observed exploitation of any of the four vulnerabilities. The agency also marked the ransomware-use status for all four flaws as unknown.
Who is affected
Organizations using Ubiquiti UniFi OS devices are affected if they have not applied the May security updates.
The risk is especially serious for internet-exposed UniFi OS systems because the flaws can be exploited remotely without privileges and chained to achieve remote code execution with elevated privileges.
Organizations using Lantronix EDS5000 serial-to-Ethernet servers are also affected if they are running firmware version 2.1.0.0R3. These devices should be upgraded to version 2.2.0.0R1.
Federal agencies are directly affected by the CISA KEV additions because BOD 26-04 requires them to apply available updates or vendor-recommended mitigations within three days.
Why CISOs should care
This warning is important because network infrastructure and serial-to-Ethernet devices often sit close to sensitive environments. A compromise of UniFi OS devices or Lantronix servers can give attackers access to systems used for connectivity, management, monitoring, or operational support.
For CISOs, the Ubiquiti flaws are especially concerning because they can be exploited remotely without privileges and chained into full remote code execution with elevated privileges. That makes exposed devices high-priority assets for emergency patching and incident review.
The Lantronix vulnerability also deserves attention because serial-to-Ethernet servers may be deployed in industrial, facilities, healthcare, retail, or remote management environments where asset visibility is weaker than in standard IT systems.
The case reinforces a broader vulnerability management lesson: edge, networking, and infrastructure devices need the same urgency as servers and endpoints when CISA confirms active exploitation.
3 practical actions
- Patch affected Ubiquiti and Lantronix devices immediately: Ubiquiti released security updates for the UniFi OS vulnerabilities in May, and Lantronix recommends upgrading EDS5000 devices to firmware 2.2.0.0R1. Federal agencies must act within CISA’s three-day KEV remediation window.
- Identify exposed infrastructure devices: The Ubiquiti flaws can be exploited remotely without privileges. CISOs should inventory UniFi OS devices, Lantronix EDS5000 servers, and other internet-facing network appliances, then restrict external access where possible.
- Hunt for signs of compromise before and after patching: CISA confirmed active exploitation but did not release exploitation details. Security teams should review device logs, configuration changes, unexpected files, command execution traces, new accounts, and unusual network connections from affected appliances.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.