U.S. CISA adds Ubiquiti UniFi OS and Lantronix EDS5000 plugin flaws to its Known Exploited Vulnerabilities catalog
June 24, 2026 
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Ubiquiti UniFi OS and Lantronix EDS5000 flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Ubiquiti UniFi OS and Lantronix EDS5000 flaws to its Known Exploited Vulnerabilities (KEV) catalog.
The two flaws added to the catalog are:
The first flaw, tracked as CVE-2025-67038 (CVSS score: N/A), is a code injection vulnerability in the Lantronix EDS5000 (version 2.1.0.0R3). The vulnerability exists because the HTTP RPC module fails to sanitize the username parameter before concatenating it into a shell command for logging failed authentication attempts, allowing an attacker to execute arbitrary OS commands with root privileges.
The second flaw, tracked as CVE-2026-34908 (CVSS Base Score: 10.0 CRITICAL), is an improper access control vulnerability in Ubiquiti UniFi OS devices. A malicious actor with network access can exploit this to make unauthorized changes to the system.
The third flaw, tracked as CVE-2026-34909 (CVSS score: N/A), involves a path traversal vulnerability impacting Ubiquiti UniFi OS. While specific NVD enrichment for this entry is limited, it is associated with the same security advisory bulletin (Security Advisory Bulletin 064) as the other UniFi OS vulnerabilities.
The fourth flaw, tracked as CVE-2026-34910 (CVSS Base Score: 10.0 CRITICAL), is an improper input validation vulnerability found in UniFi OS devices. A network-adjacent malicious actor can exploit this vulnerability to execute a Command Injection.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to urgently fix the vulnerabilities by June 26, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
Pierluigi Paganini
(SecurityAffairs – hacking, CISA)
