SECURITY researchers have uncovered a wave of critical flaws affecting Lantronix equipment and Ubiquiti UniFi OS devices while a separate glitch in legacy Outlook for Mac strips the original message from replies and forwards, as detailed in a recent report.
The Lantronix issue is tracked as CVE-2025-67038, a code injection vulnerability in the EDS5000 series with a CVSS score of 9.8 that lets attackers execute arbitrary commands on the device.
Four UniFi OS flaws have been identified: CVE-2026-34910 concerns improper input validation, CVE-2026-34909 involves a path traversal weakness, CVE-2026-34908 is an improper access control bypass and CVE-2026-40624, also rated CVSS 9.8, stems from improper input validation in AVer PTC500S cameras; the first three UniFi OS bugs each carry a maximum CVSS rating of 10.
CISA has added CVE-2026-34908, CVE-2026-34909, CVE-2026-34910 and CVE-2025-67038 to its Known Exploited Vulnerabilities catalogue, confirming active exploitation in the wild, as noted in CISA's advisory; no specific threat actor has been publicly linked to these vulnerabilities.
In parallel, Microsoft has acknowledged that legacy Outlook for Mac version 16.110.2606.1317 fails to include the original message body when users reply to or forward an email, a problem that disappears when using the newer Outlook interface or reverting to build 16.109.3, according to Microsoft's support page.
Defenders should apply any available firmware updates for Lantronix EDS5000 and UniFi OS devices, isolate affected equipment from untrusted networks and review logs for unusual administrative changes; for the Outlook Mac issue, either upgrade to the latest build that restores normal behaviour or switch to the modern client while awaiting a permanent fix, as outlined in the Outlook glitch report.