general · BleepingComputer
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of multiple maximum-severity flaws in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers. Three Ubiquiti vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) allow unauthenticated remote attackers to bypass access controls, traverse directories to access sensitive files, and execute arbitrary operating system commands, potentially leading to full system compromise. Researchers demonstrated these flaws can be chained together. A fourth vulnerability in Lantronix EDS5000 firmware (CVE-2025-67038) is a command injection flaw in the HTTP RPC module. Ubiquiti released patches in May; Lantronix released updates and recommends upgrading to version 2.2.0.0R1. CISA has not disclosed details about observed active exploitation but has added these to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch or mitigate within three days.
Defense contractors managing network infrastructure with Ubiquiti or Lantronix devices face immediate compliance exposure under CMMC and NIST 800-171 requirements, which mandate timely patching of known critical flaws. SaaS and healthcare providers relying on these network appliances should inventory their deployments and assess SOC2 Type II and HIPAA control gaps if patches are delayed. Organizations in regulated industries must prioritize these updates to maintain audit readiness and avoid control deficiencies. An Omniware engagement can help map your network asset inventory to vulnerability timelines and identify prioritization strategies aligned with your compliance obligations.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/
Source: BleepingComputer
All briefings