The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning about active exploitation of multiple critical vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-ethernet devices. Under Binding Operational Directive (BOD) 26-04, federal agencies are required to apply vendor patches or mitigations within three days to reduce exposure to ongoing attacks.
The affected Ubiquiti vulnerabilities—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—include an access control bypass, a directory traversal flaw, and improper input validation that can be chained together to achieve full remote code execution. Security researchers, including Bishop Fox, have demonstrated that successful exploitation could allow unauthenticated attackers to gain complete control over vulnerable UniFi OS systems, exposing sensitive configuration data and enabling system-wide compromise. Ubiquiti addressed the issues in a May 2026 security update, but exploitation in the wild has prompted renewed urgency from federal cybersecurity authorities.
Alongside the Ubiquiti warnings, CISA has also added Lantronix CVE-2025-67038 to its Known Exploited Vulnerabilities catalog. The flaw affects EDS5000 devices and stems from unsafe command construction in an HTTP RPC logging component, where unsanitized input can be used to inject arbitrary operating system commands. This vulnerability enables root-level command execution and full device compromise. Lantronix has issued patches and recommends upgrading affected systems to version 2.2.0.0R1.
While CISA has not disclosed specific threat actor activity or attribution, it confirmed that both sets of vulnerabilities are being actively exploited in real-world environments. The agency has not yet classified the activity as linked to ransomware campaigns, but the severity of the flaws and their use in internet-facing infrastructure has raised concerns about their potential use in broader intrusion and lateral movement operations.
Security experts urge system administrators to prioritize immediate patching, particularly for internet-exposed devices, and to deploy vendor-recommended mitigations where updates cannot be applied. The incident underscores the persistent risk posed by edge-network appliances, which continue to serve as high-value targets for attackers seeking initial access into enterprise and government networks.
