ON 23 June 2026 the U.S. Cybersecurity and Infrastructure Security Agency added four vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming they are being used in active attacks against network equipment according to its advisory. The flaws affect Ubiquiti UniFi OS and Lantronix EDS5000 devices and have already been seen in the wild to create unauthorised administrative access. By publishing the KEV entries, CISA signals that federal civilian agencies must treat these issues as priorities for remediation. The advisory links the vulnerabilities to specific CVE identifiers and includes CVSS scores that reflect their severe impact.
The three Ubiquiti flaws are tracked as CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910, each rated CVSS 10.0 and involving improper access control, path traversal and command injection respectively as reported by SecurityWeek. CVE-2026-34908 allows an attacker to bypass authentication and modify system settings without permission. CVE-2026-34909 can be exploited through a crafted request that traverses directory structures to access sensitive files. CVE-2026-34910 enables the execution of arbitrary commands via a specially formed input field. The Lantronix issue, CVE-2025-67038, carries a CVSS score of 9.8 and stems from insufficient username sanitisation that permits arbitrary command execution with root privileges according to SecurityAffairs.
Although patches for all four CVEs were released the previous month, attackers have already weaponised them to inject malicious commands and establish rogue administrator accounts on compromised devices as noted by SecurityOnline.info. The exploitation chain allows unauthenticated users to bypass authentication, execute arbitrary code and maintain persistent access to the affected hardware. Security researchers have observed the creation of hidden admin accounts that survive reboot and facilitate further lateral movement. These activities were detected in the wild shortly after the patches became public, indicating a short window for defenders to act.
CISA has not attributed the activity to any specific threat group but warns that the vulnerabilities are being exploited in the wild and therefore pose an immediate risk to federal civilian networks per the agency’s alert. The addition to the KEV catalog triggers a binding directive for agencies to apply mitigations within the prescribed timeframe, typically within three weeks of publication. Federal departments are required to report their compliance status to the agency’s cyber hygiene dashboard. Failure to meet the deadline may result in heightened scrutiny during audits.
Defenders should prioritise installing the latest firmware from Ubiquiti and Lantronix, disable any unnecessary management interfaces and segment device management networks from untrusted segments. Administrators are advised to review authentication logs for unexpected privileged sessions, enforce multi‑factor authentication where supported and remove any unknown administrator accounts discovered during audits.
Additionally, network intrusion detection signatures should be updated to look for the specific command injection patterns associated with these CVEs. Regular configuration reviews can help ensure that default credentials are not left in place and that least privilege principles are applied to all user accounts.
Maintaining an up‑to‑date inventory of all UniFi OS and Lantronix EDS5000 units, subscribing to vendor security notifications and validating patches in an isolated test environment before deployment will help reduce exposure to similar flaws in the future. Organisations are also encouraged to share indicators of compromise with trusted information sharing and analysis centres to improve collective defence. By treating the KEV listing as a call to action, network operators can close the current gap and harden their infrastructure against follow‑on exploits.