Back to Intelligence

CISA KEV Alert: Actively Exploited Flaws in Lantronix EDS5000 and Ubiquiti UniFi OS

SA
Security Arsenal Team
June 24, 2026
6 min read

On June 23, 2026, CISA added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling a shift from theoretical risk to active exploitation. The additions include a critical code injection vulnerability in Lantronix EDS5000 terminal servers (CVE-2025-67038) and a trio of flaws affecting Ubiquiti UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910).

Under Binding Operational Directive (BOD) 26-04, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by the due dates. However, the implications extend far beyond the federal government. These devices are staples in edge computing, managed service providers (MSPs), and operational technology (OT) environments. The presence of these flaws in the KEV catalog confirms that threat actors are actively scanning for and compromising these systems to establish footholds in networks.

Technical Analysis

Lantronix EDS5000 Code Injection (CVE-2025-67038)

Affected Product: Lantronix EDS5000 Series (Terminal Servers / Device Servers).

Vulnerability Class: Code Injection / Improper Neutralization of Special Elements.

Technical Breakdown: This vulnerability allows an authenticated or unauthenticated attacker (depending on specific configuration exposure) to inject arbitrary code. In terminal server environments, these devices bridge serial legacy equipment to modern Ethernet networks. Successful exploitation of CVE-2025-67038 typically allows an attacker to execute commands with the privileges of the underlying web service or root context on the embedded OS. This provides a pivot point into the OT network or allows the device to act as a C2 beacon.

Exploitation Status: Confirmed Active Exploitation. Added to CISA KEV on 2026/06/23.

Ubiquiti UniFi OS Flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910)

Affected Product: UniFi OS (Commonly running on Dream Machine, Dream Router, Cloud Keys).

Vulnerability Classes:

  • CVE-2026-34908: Improper Access Control.
  • CVE-2026-34909: Path Traversal.
  • CVE-2026-34910: Improper Input Validation.

Technical Breakdown: These vulnerabilities represent a classic web application attack chain.

  1. Path Traversal (CVE-2026-34909): Attackers use sequences like ../ to access files or directories outside the web root.
  2. Improper Input Validation (CVE-2026-34910): The application fails to sanitize user input, allowing for the manipulation of backend commands or queries.
  3. Improper Access Control (CVE-2026-34908): The application does not properly verify authorization, potentially allowing the chained exploits to access protected endpoints.

Chained together, these flaws can lead to Remote Code Execution (RCE) or credential theft from the device's configuration. Since UniFi controllers often manage wide-area network policies and hold privileged credentials, a compromise here grants significant control over the network edge.

Exploitation Status: Confirmed Active Exploitation. Added to CISA KEV on 2026/06/23.

Detection & Response

Defenders must assume that scans for these specific vulnerabilities are already occurring against external-facing IPs. The following detection logic focuses on identifying successful exploitation attempts and anomalous behavior associated with these devices.

SIGMA Rules

YAML
---
title: Potential Ubiquiti UniFi OS Path Traversal Exploitation
id: 8d4f1a2b-3c5e-4f6d-9b1a-2c3d4e5f6a7b
status: experimental
description: Detects potential path traversal attempts against UniFi OS management interfaces often associated with CVE-2026-34909.
references:
  - https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/24
tags:
  - attack.initial_access
  - attack.t1190
logsource:
  category: webserver
  product: apache
detection:
  selection:
    c_uri|contains:
      - '../'
      - '%2e%2e'
      - '..%2f'
    c_hostname|contains:
      - 'unifi'
      - 'ubiquiti'
  condition: selection
falsepositives:
  - Scans from vulnerability scanners
level: high
---
title: Lantronix EDS5000 Suspicious Command Execution
id: 9e5g2b3c-4d6f-5g7e-0c2d-3e4f5a6b7c8d
status: experimental
description: Detects potential code exploitation patterns on Lantronix EDS5000 web interfaces based on URI structure and command anomalies.
references:
  - https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/06/24
tags:
  - attack.execution
  - attack.t1059
logsource:
  category: webserver
  product: web
detection:
  selection_uri:
    c_uri|contains:
      - '/port_
      - '/forms/'
  selection_cmd:
    cs_uri_query|contains:
      - 'cmd='
      - 'exec'
      - 'sh'
  selection_headers:
    cs_user_agent|contains: ' Lantronix'
  condition: all of selection_*
falsepositives:
  - Administrative configuration changes
level: critical

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for UniFi OS Path Traversal and Input Validation Anomalies
// Look in Syslog or CommonSecurityLog for Web Proxy/ Firewall data
let SuspiciousStrings = dynamic(["../", "..%2f", "%2e%2e", "<script", "SELECT *"]);
CommonSecurityLog
| where DeviceVendor in ("Ubiquiti", "Palo Alto Networks", "Fortinet", "Cisco")
| where DestinationPort in (80, 443, 8080, 8443, 8880)
| where RequestURL has_any(SuspiciousStrings)
| extend FileExtension = extract(@'(\.[\w\d]+)$', 1, RequestURL)
| where FileExtension !in (".js", ".css", ".png", ".jpg", ".ico", ".svg")
| project TimeGenerated, DeviceAction, SourceIP, DestinationIP, RequestURL, DeviceVendor
| order by TimeGenerated desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for network connections initiated by Lantronix or Ubiquiti Devices
-- that are suspicious (e.g., outbound shell connections)
SELECT Process.Name, Process.Pid, Connection.RemoteAddress, Connection.RemotePort, Connection.State
FROM pslist()
LEFT JOIN foreach(row=Process, 
    query={ SELECT * FROM netstat(pid=Process.Pid) }) AS Connection
WHERE Process.Name =~ "UniFi" 
   OR Process.Name =~ "java" 
   OR Connection.RemotePort IN (4444, 6666, 8080, 1337) // Common C2/Reverse Shell ports
   OR Connection.RemoteAddress =~ "192.168." AND Connection.State =~ "ESTABLISHED"

Remediation Script (Bash)

Bash / Shell
#!/bin/bash
# Remediation/Discovery Script for CISA KEV Vulns (June 2026)
# This script scans the local subnet for common Ubiquiti and Lantronix open ports
# Requires 'nmap' to be installed.

# Scan for Ubiquiti UniFi Devices (Common Ports: 8080, 8443, 8880, 8843)
echo "[*] Scanning for Ubiquiti UniFi devices on network..."
nmap -p 8080,8443,8880,8843 --open -oG - 192.168.1.0/24 | grep "Open" > unifi_scan.txt

# Scan for Lantronix EDS5000 (Default Web Port: 80, Telnet: 23)
echo "[*] Scanning for Lantronix EDS5000 devices..."
nmap -p 80,23 --open -oG - 192.168.1.0/24 | grep "Open" > lantronix_scan.txt

if [ -s unifi_scan.txt ]; then
    echo "[!] Potential UniFi Devices found. Check "
    cat unifi_scan.txt
fi

if [ -s lantronix_scan.txt ]; then
    echo "[!] Potential Lantronix Devices found. Check "
    cat lantronix_scan.txt
fi

echo "[*] Remediation Steps:"
echo "1. Isolate identified devices from the internet immediately."
echo "2. Update Lantronix EDS5000 to latest firmware per vendor advisory."
echo "3. Update UniFi OS to the latest stable release (Protect/Network App)."
echo "4. Enforce 'Least Privilege' access to management interfaces."

Remediation

  1. Patch Management:

    • Ubiquiti Users: Update the UniFi Network Application and UniFi OS to the latest stable release immediately. Ensure all adopted UniFi OS Controllers (Dream Machine, Cloud Key) are updated via the user interface.
    • Lantronix Users: Download and apply the latest firmware for the EDS5000 series from the Lantronix support portal. If immediate patching is not possible, disable web management access from untrusted networks.

  2. Network Segmentation:

    • Move Lantronix EDS5000 devices into an isolated OT/IoT VLAN. They should not have direct internet access unless strictly necessary for functionality (which should be proxied).
    • Ensure UniFi controllers are not exposed directly to the internet. Utilize a VPN (WireGuard, L2TP) or Zero Trust Network Access (ZTNA) for remote management.

  3. Compromise Assessment:

    • If these devices were internet-exposed prior to patching, assume they are compromised. Review logs for unauthorized user creation, modified network configs, or unexpected outbound traffic originating from these device IPs.

  4. CISA Compliance:

    • Per BOD 26-04, FCEB agencies must complete remediation by the deadlines specified in the KEV catalog entry. Private sector organizations should treat this timeline as a benchmark for urgency.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosurecisa-kevubiquitilantronix

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action