CISA warns of critical Ubiquiti flaws exploited in attacks
▼ Summary
– CISA warns that hackers are actively exploiting flaws in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers.
– Federal agencies have three days to apply security updates or mitigations per the BOD 26-04 directive.
– Ubiquiti flaws include CVE-2026-34908 (access control bypass), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection), which can be chained for full remote code execution.
– The critical Lantronix flaw, CVE-2025-67038, allows root-level command injection via unsanitized username input in the HTTP RPC module.
– CISA has not disclosed details of observed exploitation, and the “use in ransomware campaigns” flag is set to “Unknown” for all flaws.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning regarding active exploitation of security vulnerabilities in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers. Under the BOD 26-04 directive, federal agencies are mandated to apply available patches or implement vendor-recommended mitigations within three days.
CISA has added three specific Ubiquiti flaws to its Known Exploited Vulnerabilities catalog. The first, CVE-2026-34908, is an access control bypass that allows an unauthenticated attacker to make unauthorized system changes, potentially leading to a full system compromise. The second, CVE-2026-34909, is a directory and path traversal vulnerability enabling access to sensitive files on the underlying operating system. This could expose configuration files and credentials, facilitating account takeover. The third, CVE-2026-34910, is an improper input validation flaw that permits an attacker to inject and execute arbitrary operating system commands, resulting in remote code execution and complete system takeover.
Ubiquiti released security updates for all three vulnerabilities in May, noting they could be exploited remotely without any privileges. Researchers from Bishop Fox later demonstrated that these flaws can be chained together to achieve full remote code execution with elevated privileges on vulnerable UniFi OS devices. To assist defenders, Bishop Fox has also released a free detection script on GitHub for identifying vulnerable instances within their environments.
The exploited issue in Lantronix servers is tracked as CVE-2025-67038, a critical-severity root-level command injection affecting the EDS5000 model running firmware version 2.1.0.0R3. The vulnerability resides in the HTTP RPC module, which executes a shell command to log failed authentication attempts. The supplied username is concatenated directly into the shell command without proper sanitization, allowing an attacker to inject arbitrary operating system commands. Lantronix has released a patch and recommends upgrading to EDS5000 version 2.2.0.0R1.
CISA has not disclosed specific details about the observed exploitation of any of these four flaws, and the “use in ransomware campaigns” flag remains set to “Unknown” for all. System administrators managing these products are strongly advised to apply the available updates or suggested mitigations as soon as possible.
(Source: BleepingComputer)
