Emerging Threats

CISA Warns of Actively Exploited Ubiquiti Flaws

Analyst 207||Source: BleepingComputer
Ubiquiti UniFi OS device in a small business office setting with ambient daylight.

Federal agencies have three days to apply available security updates or vendor-recommended mitigations, under CISA’s BOD 26-04 directive.

CISA adds Ubiquity UniFi OS flaws to Known Exploited Vulnerabilities

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that threat actors are actively exploiting vulnerabilities in Ubiquity UniFi OS devices. CISA added three Ubiquiti-related flaws to its catalog of Known Exploited Vulnerabilities and identified them by CVE number and effect:

  • CVE-2026-34908 — an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
  • CVE-2026-34909 — a directory/path traversal vulnerability that allows an attacker to access sensitive files on the underlying operating system, potentially exposing configuration files, credentials, and other sensitive data that could facilitate account takeover.
  • CVE-2026-34910 — an improper input validation flaw that enables an attacker to inject and execute arbitrary operating system commands, potentially leading to remote code execution and complete system takeover.

According to the advisory, Ubiquiti released security updates for these three vulnerabilities in May and warned they could be exploited remotely without privileges. CISA added those CVEs to its Known Exploited Vulnerabilities list and, under BOD 26-04, directed federal agencies to apply updates or mitigations within three days.

Bishop Fox demonstrates chaining and publishes detection tooling

Security researchers at Bishop Fox later demonstrated that the three UniFi OS flaws could be chained to achieve full remote code execution with elevated privileges on vulnerable devices. Bishop Fox has also published a free detection script on GitHub intended to help defenders discover vulnerable instances in their environment.

CISA’s advisory notes that it has not shared details about observed exploitation for any of these Ubiquiti CVEs, and the “use in ransomware campaigns” classification remains “Unknown” for all three.

Lantronix EDS5000: critical root-level command injection (CVE-2025-67038)

Separately, CISA warned of exploitation of a critical vulnerability in Lantronix serial-to-ethernet servers. The issue, tracked as CVE-2025-67038, affects the EDS5000 running firmware 2.1.0.0R3 and is described as a root-level command injection in the device’s HTTP RPC module.

The vulnerability stems from the module executing a shell command to log failed authentication attempts while concatenating the supplied username directly into that shell command without proper sanitization, allowing an attacker to inject arbitrary operating system commands. Lantronix released a patch for CVE-2025-67038 and recommends users upgrade EDS5000 devices to version 2.2.0.0R1.

As with the Ubiquiti CVEs, CISA has not published details of observed exploitation for the Lantronix flaw, and the ransomware-use flag is listed as “Unknown.”

What this means for federal agencies, system administrators, and enterprise defenders

Federal agencies: under BOD 26-04, agencies must apply available updates or vendor mitigations within three days of CISA’s directive. The advisory’s addition of the Ubiquiti CVEs to the Known Exploited Vulnerabilities catalog triggers that deadline.

System administrators: administrators managing UniFi OS or Lantronix EDS5000 devices are explicitly recommended to apply the available updates and/or suggested mitigations as soon as possible. For UniFi OS, Ubiquiti issued updates in May; for EDS5000, Lantronix recommends upgrading to firmware 2.2.0.0R1.

Enterprise defenders and security teams: Bishop Fox’s chaining demonstration and its free detection script provide immediate, actionable tooling to identify vulnerable UniFi instances. CISA’s advisory also underscores that observed exploitation details remain undisclosed and that the use of these flaws in ransomware campaigns is currently unknown, meaning defenders should prioritize detection and patching even in the absence of published exploitation telemetry.

Operational risk and detection gaps

The advisory arrives against an explicit reminder in the source material about detection shortfalls: security teams log 54% of successful attacks and alert on just 14%. That statistic, cited from a Picus whitepaper included in the same reporting, frames the operational reality CISA is addressing — patches and mitigations are an immediate, tangible defense, but detection and alerting gaps can let active exploitation move “through your environment unseen.”

Practically, defenses should combine prompt patching with active scanning (including Bishop Fox’s script where applicable), monitoring for unusual command execution on devices, and prioritization of firmware updates on internet-facing and enterprise network equipment.

For the original CISA warning and full advisory, see the source: https://www.bleepingcomputer.com/news/security/cisa-warns-of-max-severity-ubiquiti-flaws-exploited-in-attacks/

CisaEmerging ThreatsFederal AgenciesKnown Exploited VulnerabilitiesAccess Control BypassUbiquitiCVE-2026-34908CVE-2026-34909Directory TraversalBOD 26-04
Related Intelligence

Continue Reading

Law enforcement officials from various agencies gather in a briefing room for a collaborative operation.

Microsoft-Led Operation Disrupts Amadey, StealC Malware Networks

In a major win for cybersecurity, a Microsoft-led operation has successfully disrupted the networks behind Amadey and StealC malware, significantly increasing friction for cybercriminals and making it harder for attacks to succeed. This collaborative effort between law enforcement and private sector partners marks a crucial step forward in the fight against cybercrime.

Analyst 207
Dimly lit workspace with scattered notes and empty coffee cups, hinting at unease.

Cordyceps Flaws Compromise 300+ GitHub Repositories

A newly discovered flaw, dubbed Cordyceps, has left over 300 GitHub repositories vulnerable to exploitation by unauthenticated users, allowing for code execution, credential theft, and supply-chain compromise. This critical weakness can be easily exploited, putting countless open-source projects at risk.

Analyst 207
A dimly lit laboratory setting with a macOS laptop displaying a terminal window amidst technical equipment and papers.

North Korea-linked Backdoor Exploits AI Triage Tools

When building AI triage tools, it's crucial to treat sample contents as potentially hostile input, not instructions, to prevent malicious manipulation. Experts warn that failing to do so can allow attackers to sneak hostile content into your model.

Analyst 207
Customer service representative on phone call at retail service desk.

Social Engineering Attacks Target Service Desks

Service desks have become a prime target for cyber attackers, who often find it easier to manipulate staff into divulging sensitive information than to crack the technology itself. In a string of recent incidents, hackers have successfully impersonated employees to gain access to internal systems, as seen in the 2025 UK attacks on major retailers like Marks & Spencer, Co-op, and Harrods.

Analyst 207