CISA is warning that hackers are actively exploiting critical vulnerabilities in Ubiquiti UniFi OS devices and Lantronix serial-to-ethernet servers, giving federal agencies just three days to patch.
The U.S. Cybersecurity and Infrastructure Security Agency added three Ubiquiti flaws to its Known Exploited Vulnerabilities catalog alongside a separate Lantronix bug. All four are being exploited in the wild.
The Ubiquiti vulnerabilities, patched in May, are:
- CVE-2026-34908 — An access control bypass that allows unauthenticated attackers to make unauthorized changes to a UniFi OS system, potentially leading to full compromise.
- CVE-2026-34909 — A directory traversal vulnerability that lets attackers access sensitive files on the underlying OS, including configuration files and credentials.
- CVE-2026-34910 — Improper input validation that enables arbitrary OS command injection, giving attackers remote code execution and full system takeover.
Researchers at Bishop Fox demonstrated that the three flaws can be chained together to achieve full remote code execution with root privileges on vulnerable UniFi OS devices. They also released a free detection script on GitHub to help defenders find exposed instances.
The Lantronix vulnerability, CVE-2025-67038, is a critical root-level command injection in the EDS5000 series (firmware 2.1.0.0R3). The bug sits in the HTTP RPC module, where a supplied username gets concatenated directly into a shell command without sanitization, allowing arbitrary command injection. Lantronix patched it in firmware version 2.2.0.0R1.
CISA has not disclosed details about the observed exploitation or confirmed whether any of these flaws have been used in ransomware campaigns.
System administrators running Ubiquiti UniFi OS or Lantronix EDS5000 devices should apply available updates immediately.
