CISA Adds Critical Ubiquiti and Lantronix Vulnerabilities to KEV Catalog
Two vendors, four exploited flaws, one short federal deadline — CISA's latest KEV additions hand defender teams a concentrated patch-verification job across UniFi OS and Lantronix edge-server fleets this week.
Key Takeaways
|
Two vendors, four exploited flaws, one short federal deadline — CISA's latest KEV additions hand defender teams a concentrated patch-verification job across UniFi OS and Lantronix edge-server fleets this week.
WASHINGTON — The U.S. Cybersecurity and Infrastructure Security Agency on June 23, 2026 added four actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, drawn from two unrelated vendors but landing on defender teams as a single, time-boxed patch-verification problem. Three of the additions are maximum-severity flaws in Ubiquiti's UniFi OS — the operating system behind the company's widely deployed gateways, network controllers, and storage appliances — and the fourth is a critical code-injection bug in Lantronix's EDS5000 device-networking server. CISA set a remediation deadline of June 26, 2026 for federal civilian agencies under Binding Operational Directive 26-04.
The two listings are distinct and worth separating cleanly. The Ubiquiti additions cover CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, each rated CVSS 10.0, and were patched by the vendor on May 22, 2026. The Lantronix addition is CVE-2025-67038, a CVSS 9.8 code-injection flaw in the EDS5000 fixed in firmware version 2.2.0.0R1. A KEV listing is not a new disclosure so much as a confirmation signal — CISA adds an entry only when it has evidence of active exploitation, which turns each of these from a routine patch-management item into a priority cycle with a federal clock attached.
| At a Glance | |
|---|---|
| Field | Details |
| Ubiquiti CVEs | CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 |
| Lantronix CVE | CVE-2025-67038 |
| Products | Ubiquiti UniFi OS (gateways, controllers, NVR/NAS appliances); Lantronix EDS5000 device server |
| Severity | Ubiquiti: CVSS 10.0 (each); Lantronix: CVSS 9.8 |
| Affected | UniFi OS Server below 5.0.8 and related device firmware; Lantronix EDS5000 2.1.0.0R3 |
| Fixed in | UniFi OS Server 5.0.8+ (device firmware 5.1.12+, UniFi Express 4.0.14+, UNAS 5.1.10+); Lantronix EDS5000 2.2.0.0R1 |
| KEV deadline | June 26, 2026 (BOD 26-04) |
| Status | Actively exploited; added to KEV June 23, 2026 |
What CISA Added
CISA's June 23, 2026 catalog update folds in four entries spanning two vendors. On the Ubiquiti side, the agency listed CVE-2026-34908, an improper access control flaw; CVE-2026-34909, a path traversal flaw; and CVE-2026-34910, an improper input validation flaw. All three carry a CVSS 3.1 base score of 10.0, the maximum, with HackerOne acting as the CVE Numbering Authority. According to vendor and researcher write-ups, the access-control and path-traversal flaws can be combined to bypass authentication, after which the input-validation flaw allows operating-system command injection — a chain that yields unauthenticated remote code execution against a reachable UniFi OS instance.
The fourth entry, CVE-2025-67038, is unrelated to Ubiquiti and sits in Lantronix's EDS5000 device-networking server. It is a code-injection vulnerability rated CVSS 9.8. The flaw lives in the device's HTTP RPC module, which runs a shell command to log failed authentication attempts; because the supplied username is concatenated directly into that command without sanitization, an attacker can inject arbitrary OS commands that execute with root privileges. Lantronix addressed it, along with several related issues, in firmware version 2.2.0.0R1.
The common thread is not a shared codebase but a shared status: CISA adds a vulnerability to the KEV catalog only when it has reliable evidence of active, in-the-wild exploitation. All four flaws met that bar, which is why they arrived together with a single federal remediation deadline of June 26, 2026 under Binding Operational Directive 26-04. For agencies and the many private-sector teams that track KEV as a de facto priority list, the practical effect is the same regardless of vendor: confirm exposure, then confirm remediation, fast.
Why Ubiquiti Deployments Matter to Defender Teams
UniFi OS is the platform underneath a broad family of Ubiquiti hardware — gateways and security gateways, network controllers, and the company's network video recorder and network-attached storage appliances — and it is heavily represented in small and mid-sized organizations, branch offices, managed-service-provider fleets, and home-office setups that quietly anchor corporate access. That ubiquity is precisely what makes a CVSS 10.0 chain consequential: the affected devices frequently sit at the network edge, terminate remote access, and hold or broker credentials, so a full takeover is rarely contained to the device itself.
The exploit preconditions sharpen the concern. Because the chain begins with an authentication bypass and ends in command injection, the usual friction point — needing valid credentials first — is absent, which lowers the bar for opportunistic scanning once exploitation is confirmed and details circulate. Edge and gateway devices have repeatedly proven attractive for exactly this reason, and KEV additions across the network-infrastructure category have become a recurring fixture of CISA's federal patch mandates.
For defender teams, the first task is scoping. Ubiquiti's fixes span several product lines and version trains, so a single representative build does not speak for the whole estate. The vendor's guidance is to move UniFi OS Server installations to 5.0.8 or later, and to update affected appliance firmware to the corresponding fixed releases — reported as 5.1.12 or later for the gateway and recorder families, 4.0.14 or later for UniFi Express, and 5.1.10 or later for UNAS storage. Mapping each deployed device to its correct fixed train, rather than assuming uniformity, is where the verification work actually lives.
Lantronix EDS5000 in Industrial-Context Deployments
The Lantronix EDS5000 belongs to a different corner of the network than UniFi OS, but one that defender teams overlook at their peril. Device-networking servers like the EDS5000 bridge legacy serial equipment to IP networks, giving administrators remote management over industrial controllers, building-automation systems, point-of-sale hardware, medical devices, and other gear that was never designed to face a network directly. They are, in effect, the connective tissue that puts otherwise air-gapped equipment within reach of a management plane.
That role is what makes CVE-2025-67038 worth separating from the Ubiquiti additions rather than lumping them together. A root-level command-injection flaw on a serial-to-IP bridge does not just compromise the bridge; it can hand an attacker a foothold adjacent to operational-technology and other sensitive segments that the device was deployed to reach. The mechanism here is mundane and instructive — an unsanitized username field that flows into a shell command used merely to log failed logins — which is a reminder that the exposure-creating bug is often in plumbing, not in the headline feature.
Remediation is firmware 2.2.0.0R1, which also resolves several related EDS5000 issues. The harder part for many operators is discovery: device-networking servers tend to be installed once and forgotten, and they may not appear in the same asset inventories that track laptops and servers. Teams responsible for industrial and infrastructure environments should treat this KEV entry as a prompt to confirm whether any EDS5000 units are deployed at all, where they sit relative to sensitive segments, and whether they are reachable from networks that do not strictly need access to them.
Patch Verification Across Affected Environments
With two vendors and four CVEs sharing one deadline, the defender workflow is less about a single upgrade and more about disciplined verification across two distinct fleets. The starting point is inventory: identify every UniFi OS device and every Lantronix EDS5000 in the environment, including the ones managed by service providers, deployed in branch locations, or installed years ago and never revisited. KEV's value is that it tells teams which flaws are being used now; that signal is only actionable if the asset picture is complete.
For the Ubiquiti side, verification means more than confirming that an update ran. Teams should map each device against its correct fixed train and confirm the post-update build, because the fixed versions differ across UniFi OS Server, the gateway and recorder firmware family, UniFi Express, and UNAS. It is also a moment to revisit exposure: whether the UniFi OS management interface needs to be reachable from the networks it is currently reachable from, and whether remote-access pathways into these gateways are restricted to the segments that genuinely require them. The patch closes the specific chain; the network posture determines how much room the next edge-device flaw will have.
For the Lantronix side, verification is firmware 2.2.0.0R1 plus a hard look at network placement, since the device's whole purpose is to bridge segments that are usually kept apart. Across both vendors, the through-line is that a KEV addition is a verification trigger, not just a patch notice: confirm the fix is applied, confirm it is applied everywhere, and confirm that the device's reachability matches its actual need — the same discipline The CyberSignal has tracked through earlier KEV plugin-RCE additions this year.
Open Questions
Several details remain less than fully public. CISA's KEV listings confirm active exploitation but, by design, say little about who is exploiting the flaws, at what scale, or to what end; the agency's evidentiary bar is exploitation itself, not attribution. For the Ubiquiti chain in particular, the gap between the May 22 patch and the June 23 KEV addition leaves open how widely the flaws were exploited in that window, and how many internet-reachable UniFi OS devices remained unpatched when CISA acted.
The Lantronix entry raises its own open questions. Device-networking servers are notoriously under-inventoried, so the true population of exposed EDS5000 units — and the sensitivity of what sits behind them — is hard to estimate from the outside. The headline risk is not the bridge but the operational and legacy equipment it was deployed to reach, and that downstream exposure is exactly what public reporting cannot easily quantify.
What is confirmed is enough to act on without waiting for those answers. Four actively exploited vulnerabilities across two vendors, three of them at the maximum CVSS severity, with fixed builds available and a June 26 federal deadline, add up to a concentrated verification cycle rather than a wait-and-see situation. The prudent reading is to treat the KEV additions as a trigger to inventory both fleets, confirm fixed builds everywhere, and tighten the reachability of edge and bridging devices — the durable controls that outlast any single CVE.
