On June 23, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) added several Ubiquiti UniFi OS and Lantronix EDS5000 flaws to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies patch them by June 26, 2026. CISA confirmed this move, driven by active exploitation of these vulnerabilities, which include an authentication gateway bypass and command injection, all carrying maximum CVSS scores of 10.0.
What Happened
On June 23, 2026, CISA updated its KEV catalog, spotlighting actively exploited flaws in Ubiquiti UniFi OS and Lantronix EDS5000 devices. The Ubiquiti additions include three critical vulnerabilities, all rated CVSS 10.0: CVE-2026-34908, an Improper Access Control flaw; CVE-2026-34909, a Path Traversal vulnerability; and CVE-2026-34910, an Improper Input Validation vulnerability.
BishopFox researchers detailed that CVE-2026-34908 and CVE-2026-34909 stem from an authentication gateway bypass, specifically how NGINX handles crafted requests. This bypass enables attackers to circumvent authentication mechanisms. Exploiting this initial bypass, CVE-2026-34910 then becomes viable, allowing command injection due to insufficient validation of package names within an update function, according to BishopFox's analysis.
Ubiquiti responded by releasing UniFi OS Server version 5.0.8 on May 21, 2026, which contains the necessary patches. The Lantronix EDS5000 addition, CVE-2025-67038, is a Code Injection vulnerability. CISA's inclusion of CVE-2025-67038 in the KEV catalog signifies active exploitation, though specific technical details for its exploitation were not immediately available.
Why It Matters
These KEV additions are critical because they signal active, in-the-wild exploitation of network infrastructure devices, which are often gateways into deeper enterprise networks. Attackers exploit UniFi OS devices to gain initial access, establish persistent footholds, and move laterally across an organization's environment. For FCEB agencies, CISA's Binding Operational Directive (BOD) 26-04 makes remediation mandatory, setting a tight deadline of June 26, 2026.
The CVSS 10.0 ratings for the Ubiquiti flaws mean they are remotely exploitable with no complex prerequisites, offering unauthenticated attackers complete control. While federal agencies have a strict mandate, CISA stresses that all organizations should prioritize KEV remediation using a risk-based vulnerability management approach. Many organizations use Ubiquiti for core network management; a compromised UniFi controller could expose everything it manages. These risks are confirmed, not theoretical; threat actors are actively exploiting them now.
Affected Scope & Remediation
Any organization running unpatched Ubiquiti UniFi OS Server prior to version 5.0.8 is exposed to critical authentication bypass, path traversal, and command injection attacks. Similarly, Lantronix EDS5000 devices affected by CVE-2025-67038 are also at risk. Patch these devices now.
Organizations should immediately apply the vendor-supplied updates. For Ubiquiti, upgrade UniFi OS Server to version 5.0.8 or newer. For Lantronix EDS5000, consult the vendor for the specific patch addressing CVE-2025-67038.
| Product | Affected Version Range | Fixed Version |
|---|---|---|
| Ubiquiti UniFi OS Server | All versions prior to 5.0.8 | 5.0.8 or later |
| Lantronix EDS5000 | All versions affected by CVE-2025-67038 | Vendor-supplied patch |
Patch Links:
- NVD Entry for CVE-2026-34908
- NVD Entry for CVE-2026-34909
- NVD Entry for CVE-2026-34910
- NVD Entry for CVE-2025-67038
- CISA KEV Catalog
Ubiquiti released patches on May 21, 2026. CISA added these to the KEV catalog on June 23, 2026, making it 33 days from patch availability to KEV inclusion. Federal agencies then have 3 days to meet the June 26, 2026, remediation deadline. For organizations where immediate patching isn't possible, consider stringent network segmentation. Limit direct external exposure of these devices and implement a zero-trust architecture. These are temporary measures.
Technical Breakdown
The Ubiquiti vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) collectively present a severe attack chain. The initial vector, per BishopFox, involves an authentication gateway bypass due to the NGINX web server improperly processing specially crafted HTTP requests. This bypass alone allows an attacker with network access to effectively gain unauthorized entry. This maps to T1190 Exploit Public-Facing Application.
Once past the authentication gateway, CVE-2026-34910 comes into play. This is an Improper Input Validation vulnerability in an update function. With the initial bypass, an attacker can send malicious commands disguised as legitimate package names to the system. Because the input isn't properly sanitized or validated, the system executes these commands, leading to remote code execution or other unauthorized system changes. The ability to make unauthorized system changes, compromise accounts, and inject commands points directly to T1068 Exploitation for Privilege Escalation.
These vulnerabilities fundamentally break AC-3 Access Enforcement by allowing unauthorized access and SI-10 Information Input Validation by failing to properly sanitize user-supplied data, enabling command injection. The consequence is full compromise of the UniFi OS system.
Historical Context
Exploitation of network infrastructure devices isn't a new tactic. Attackers often target vulnerabilities in VPN appliances and firewalls as initial access points. A prime example is the series of vulnerabilities in Fortinet FortiOS, such as CVE-2022-42475 disclosed in late 2022. This critical heap-based buffer overflow in FortiOS SSL-VPN led to remote code execution. Like the Ubiquiti flaws, CVE-2022-42475 was actively exploited, targeting devices designed to manage and secure network access.
The similarity lies in the exploitation of perimeter devices to gain deep network access and facilitate lateral movement. Both situations involved vendors releasing patches, followed by CISA adding the vulnerabilities to its KEV catalog due to observed exploitation. With Ubiquiti's pervasive presence in enterprise and SMB networks, these new flaws represent a similarly broad and immediate threat.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVE-2026-34908 CVSS Score | 10.0 | NIST NVD |
| Days from Patch to KEV | 33 days | CISA |
| Days from KEV to Deadline | 3 days | CISA |
| Affected Ubiquiti CVEs | 3 CVEs | CISA |
| CISA KEV Addition Date | June 23, 2026 | CISA |
| CISA Mandate Deadline | June 26, 2026 | CISA |
Our Take
We've seen this play out too many times: critical network infrastructure flaws get exploited, then hit the KEV catalog, forcing an emergency patch cycle. The tight three-day turnaround for federal agencies from KEV listing to remediation deadline for these Ubiquiti and Lantronix vulnerabilities highlights how seriously CISA views active exploitation. This isn't a "monitor for updates" situation; it's a "drop everything and patch" mandate. Organizations outside the FCEB should treat this with the same urgency. Yes, CVSS 10.0. But exploitation requires network access—internal-only systems buy time, but not much.
The CVEDaily Take
The tight 3-day window for federal agencies to patch these critical Ubiquiti and Lantronix vulnerabilities from CISA's KEV listing to deadline suggests that CISA has compelling, but unreleased, intelligence about the imminence and impact of these specific exploits. The short turnaround is not merely a formality for a CVSS 10.0; it implies a specific, high-confidence threat assessment we don't often see translated directly into public deadlines this quickly. We think organizations not bound by federal directives should assume internal network segmentation might not be enough protection if these devices are internet-facing, given how fast CISA is moving.
Has your team audited the network exposure of your UniFi OS controllers and Lantronix devices since this KEV addition?
FAQ
Q: Which specific Ubiquiti UniFi OS vulnerabilities are affected?
A: CISA's KEV catalog now includes CVE-2026-34908 (Improper Access Control), CVE-2026-34909 (Path Traversal), and CVE-2026-34910 (Improper Input Validation) for Ubiquiti UniFi OS.
Q: What is the deadline for patching these vulnerabilities?
A: Federal Civilian Executive Branch agencies are mandated to remediate these vulnerabilities by June 26, 2026. All other organizations should prioritize patching immediately due to confirmed active exploitation.
Q: Does Ubiquiti provide a patch for these issues?
A: Yes, Ubiquiti released UniFi OS Server version 5.0.8 on May 21, 2026, which includes fixes for these vulnerabilities. Users should upgrade to this version or newer.
