Blog Details

The U.S. Cybersecurity and Infrastructure Security Company (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.

Basically essentially based on the BOD 26-04 directive, federal businesses contain three days to practice readily accessible safety updates or provider-suggested mitigations.

The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:

• CVE-2026-34908: an get hold of entry to administration bypass flaw that permits an unauthenticated attacker to manufacture unauthorized changes to a UniFi OS system, potentially leading to elephantine system compromise.
• CVE-2026-34909: a itemizing/direction traversal vulnerability that permits an attacker to get hold of entry to still files on the underlying working system, potentially exposing configuration files, credentials, and other still knowledge that will facilitate story takeover.
• CVE-2026-34910: an uncongenial input validation flaw that enables an attacker to inject and lift out arbitrary working system instructions, potentially leading to remote code execution and whole system takeover.

Ubiquiti launched safety updates for the three vulnerabilities in Could, warning that they might be exploited remotely without privileges.

Researchers at Bishop Fox later demonstrated that the three flaws might be chained to whole elephantine remote code execution with elevated privileges on vulnerable UniFi OS devices.

Bishop Fox has additionally launched a free detection script on GitHub to serve defenders stare vulnerable cases of their atmosphere.

The safety location exploited in Lantronix servers is tracked as CVE-2025-67038, and is a essential-severity root-level uncover injection affecting mannequin EDS5000 working firmware 2.1.0.0R3.

The vulnerability exists in the HTTP RPC module, which executes a shell uncover to log failed authentication attempts.

The supplied username is concatenated straight away into the shell uncover without appropriate sanitization, allowing an attacker to inject arbitrary working system instructions.

Lantronix launched a launched a patch for CVE-2025-67038 and recommends customers to upgrade to EDS5000 model 2.2.0.0R1.

CISA has no longer shared any essential aspects in regards to the observed exploitation of any of the four flaws, while the “employ in ransomware campaigns” flag used to be space to “Unknown” for all of them.

System administrators managing the above products are suggested to practice the readily accessible updates and/or suggested mitigations as soon as doable.