The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Binding Operational Directive 26-04, ordering federal civilian agencies to remediate four critical vulnerabilities in Ubiquiti UniFi OS and Lantronix EDS5000 devices within 72 hours. The directive follows confirmation that attackers are already exploiting these flaws in the wild, though CISA has not disclosed whether the activity is linked to ransomware campaigns or other malicious objectives. Agencies must either apply available patches or implement vendor-recommended mitigations by 27 June 2026 to comply with the directive, which was published on 24 June 2026. The move underscores the urgency of addressing these vulnerabilities, which allow unauthenticated remote attackers to compromise affected systems fully if left unpatched.
What the vulnerabilities enable
The three Ubiquiti UniFi OS vulnerabilities—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—can be chained to achieve remote code execution with elevated privileges. CVE-2026-34908 is an access control bypass that permits unauthorized system modifications, while CVE-2026-34909 is a directory traversal flaw enabling access to sensitive files such as configuration data and credentials. CVE-2026-34910 involves improper input validation, allowing arbitrary command injection. Ubiquiti released patches for these vulnerabilities in May 2026, warning that exploitation requires no privileges and can be executed remotely. Security firm Bishop Fox later demonstrated how the flaws could be combined to achieve full system compromise and released a detection script on GitHub to help organizations identify vulnerable instances.
The fourth vulnerability, CVE-2025-67038, affects Lantronix EDS5000 serial-to-Ethernet servers running firmware version 2.1.0.0R3. This critical-severity flaw stems from a command injection vulnerability in the HTTP RPC module, which logs failed authentication attempts by concatenating unsanitized usernames into shell commands. Attackers can exploit this to execute arbitrary operating system commands with root-level privileges. Lantronix has released a patch in firmware version 2.2.0.0R1 and urges users to upgrade immediately.
- CISA directive 26-04 requires federal agencies to remediate four vulnerabilities by 27 June 2026.
- Three Ubiquiti UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) can be chained for full remote code execution.
- Lantronix EDS5000 vulnerability (CVE-2025-67038) allows root-level command injection via unsanitized input.
- Ubiquiti patches released in May 2026; Lantronix patch available in version 2.2.0.0R1.
- Bishop Fox provides a free detection script for Ubiquiti vulnerabilities on GitHub.
Why this matters for infrastructure operators
Ubiquiti UniFi OS is widely deployed in enterprise and data center environments for network management, while Lantronix EDS5000 devices are commonly used to connect serial-based industrial equipment to Ethernet networks. The active exploitation of these vulnerabilities poses a significant risk to organizations relying on these products, particularly those in critical infrastructure sectors where serial-to-Ethernet gateways are prevalent. The ability to execute arbitrary commands with elevated privileges could enable attackers to move laterally within networks, exfiltrate sensitive data, or deploy ransomware.
The inclusion of these vulnerabilities in CISA’s Known Exploited Vulnerabilities catalog signals their severity and the likelihood of broader targeting beyond federal agencies. Private sector organizations, especially those in industries such as manufacturing, energy, and telecommunications, should prioritize patching these flaws to prevent potential breaches. The availability of Bishop Fox’s detection script provides a practical tool for defenders to identify and remediate vulnerable Ubiquiti instances quickly.
What to watch
While CISA has not provided details on the nature of the observed exploitation, the agency’s directive suggests that the threat is credible and ongoing. Organizations should monitor for signs of compromise, such as unusual network traffic or unauthorized configuration changes, particularly in environments where Ubiquiti or Lantronix devices are deployed. Given the critical nature of these vulnerabilities, it is likely that threat actors will continue to target unpatched systems in the coming weeks. Security teams are advised to test patches in non-production environments before deploying them widely to avoid operational disruptions.
- Apply Ubiquiti and Lantronix patches immediately, prioritizing internet-facing devices.
- Use Bishop Fox’s detection script to identify vulnerable Ubiquiti instances in your environment.
- Monitor network logs for signs of exploitation, such as unexpected command execution or authentication failures.
Automated pipeline · Security
Synthesized from 1 industry feed on 24 Jun 2026. Passed independent editor verification (score 92/100) before publication. Style guide v1.3.
Sources
Decision trail
- Checking for duplicates — New story No recent or in-pipeline article covers Ubiquiti and Lantronix flaws exploited in attacks.
- Checking for duplicates — New story pre_write:; No previously published or in-pipeline article covers this Ubiquiti/Lantronix exploit campaign.
- Writing the article — Draft created article_id=234 slug=cisa-flags-critical-ubiquiti-lantronix-flaws-under-active-attack
-
Editor review — Approved
- Score: 92/100
- Factual grounding: Source 1 refers to 'Ubiquity UniFi OS' (typo in 'Ubiquiti'), but the draft uses the correct spelling 'Ubiquiti' throughout. While the correction is appropriate, the discrepancy should be noted as a minor deviation from the source text.
- Factual grounding: The draft states that CISA's directive was published on 24 June 2026, which aligns with the reference date and Source 1's publication date. However, Source 1 does not explicitly state the publication date of BOD 26-04, only that it was issued. The date is plausible but not directly confirmed in the source.
- Style compliance: The body length (680 words) is within the 300-700 word range but leans toward the upper limit. Given the complexity of the topic, this is acceptable, but the writer should ensure no padding was added to reach this length.
- No copied phrasing: The draft paraphrases effectively, but the description of the Lantronix vulnerability closely mirrors Source 1's phrasing: 'logs failed authentication attempts by concatenating unsanitized usernames into shell commands.' While the facts are correct, the structure is too similar to the source.
- Generating reader Q&A — Generated 4 items
- Assigning hero image — Reused library image reused image #19
- Linking related stories — Linked 3 relations from 187 candidates
- Publishing — Published cisa-flags-critical-ubiquiti-lantronix-flaws-under-active-attack
- Mastodon — Posted https://mstdn.social/@hostingpaper/116805886384579473
Discussion · coming soon
Be the first to join the thread when community discussion launches.