Back to Intelligence

CISA KEV Alert: Ubiquiti UniFi OS and Lantronix Devices Under Active Attack — Detection and Hardening

SA
Security Arsenal Team
June 24, 2026
7 min read

The Cybersecurity and Infrastructure Security Agency (CISA) has added critical vulnerabilities affecting Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers to its Known Exploited Vulnerabilities (KEV) catalog. This indicates that threat actors are not just scanning for these flaws—they are actively exploiting them in the wild.

For security practitioners, this is a tier-1 priority. Ubiquiti devices are pervasive in enterprise edge environments and managed service provider (MSP) networks, while Lantronix servers frequently serve as bridge devices in Operational Technology (OT) and industrial environments. A compromise at this layer often provides attackers with a pivot point into the core network or direct access to serial-connected industrial controls.

Technical Analysis

Affected Products and Platforms

  • Ubiquiti UniFi OS: The operating system powering UniFi Dream Machines, Gateways, and Controllers. While specific CVE identifiers are not listed in the advisory summary, the flaws are categorized as "max severity" (likely CVSS 9.8+), suggesting remote code execution (RCE) or authentication bypass capabilities.
  • Lantronix Serial-to-Ethernet Servers: This includes PremierWave, Evolution, and Spider series devices often used to console-manage servers or industrial gear.

Vulnerability Mechanism

Although the specific CVEs are withheld in this summary, "max severity" flaws in these classes of devices typically involve:

  1. Pre-Auth RCE in Web Interfaces: Buffer overflows or deserialization flaws in the HTTP/HTTPS management services (often port 443 or 8080).
  2. Authentication Bypass: Logic errors allowing administrative access without valid credentials on the SSH or API endpoints.

Exploitation Status

  • Status: Confirmed Active Exploitation (CISA KEV).
  • Utility: Proof-of-Concept (PoC) code is likely available or in rapid development given the active exploitation status.
  • Attractive Target: Botnet operators and initial access brokers (IABs) target these devices to establish persistence in network perimeters, often using them for C2 tunneling or credential dumping.

Detection & Response

Detecting exploitation on IoT and edge devices requires a shift from EDR-centric monitoring to log aggregation and network-based heuristics. These devices generally do not support endpoint agent installation.

Sigma Rules

The following rules focus on the high-likelihood behavior of RCE exploitation: the web server process spawning a shell, or administrative services interacting with the file system in suspicious ways.

YAML
---
title: Ubiquiti UniFi OS - Java Process Spawning Shell
id: 8f4b2c1e-6a9d-4c5f-9e1b-3d7a8f9c0e1a
status: experimental
description: Detects potential RCE on UniFi OS by identifying the Java-based controller process spawning a shell (sh/bash).
references:
 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
author: Security Arsenal
date: 2026/04/08
tags:
 - attack.initial_access
 - attack.t1190
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|endswith: '/java'
   Image|endswith:
     - '/sh'
     - '/bash'
   ParentCommandLine|contains:
     - 'UniFi'
     - 'ace'
 condition: selection
falsepositives:
 - Legitimate administrative debugging scripts
level: high
---
title: Lantronix/IoT - Web Server Spawning System Commands
date: 2026/04/08
id: 2d9e5a3b-1c8f-4b2e-9d6a-7f1b3c8e0d2f
status: experimental
description: Detects the Lantronix web server (httpd/lighttpd) spawning system utilities, indicative of command injection.
author: Security Arsenal
references:
 - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
 category: process_creation
 product: linux
detection:
 selection:
   ParentImage|contains:
     - '/httpd'
     - '/lighttpd'
     - '/goahead'
   Image|endswith:
     - '/nc'
     - '/curl'
     - '/wget'
     - '/busybox'
   UserName: 'root'
 condition: selection
falsepositives:
 - Authorized firmware updates or legitimate network testing
level: critical
---
title: Suspicious Outbound Connection from Edge Device
id: 4c1f8e2d-7a3b-4e6c-9f0d-2a5b6c7d8e9f
status: experimental
description: Detects established outbound connections from infrastructure/IoT devices to non-standard ports, common in reverse shells.
author: Security Arsenal
date: 2026/04/08
tags:
 - attack.command_and_control
 - attack.t1071
logsource:
 category: network_connection
 product: linux
detection:
 selection:
   Image|endswith:
     - '/java'
     - '/httpd'
     - '/mongod'
   DestinationPort:
     - 4444
     - 5555
     - 6666
   Initiated: 'true'
 condition: selection
falsepositives:
 - Rare, but verify legitimate monitoring traffic
level: medium

KQL (Microsoft Sentinel)

Hunt for authentication anomalies and potential web shell activity forwarded via Syslog or CEF.

KQL — Microsoft Sentinel / Defender
// Hunt for failed logins followed by success on Ubiquiti/Lantronix devices (Brute force -> Success)
let DeviceIPs = dynamic(["192.168.1.0/24", "10.0.0.0/8"]); // Adjust to your IoT subnets
Syslog
| where Facility in ("auth", "authpriv", "security")
| where ProcessName contains "UniFi" or ProcessName contains "Lantronix" or SyslogMessage contains "UniFi" or SyslogMessage contains "Lantronix"
| project TimeGenerated, Computer, ProcessName, SyslogMessage, SeverityLevel
| where SyslogMessage has "Failed" or SyslogMessage has "Authentication failure"
| join kind=inner (
    Syslog
    | where Facility in ("auth", "authpriv", "security")
    | where SyslogMessage has "Accepted" or SyslogMessage has "Login success"
) on Computer
| where TimeGenerated1 > TimeGenerated and TimeGenerated1 < TimeGenerated + 5m
| project CompromisedHost=Computer, FailureTime=TimeGenerated, SuccessTime=TimeGenerated1, FailureMessage=SyslogMessage, SuccessMessage=SyslogMessage1

Velociraptor VQL

Use this artifact on Linux-based gateways or jump servers that might be proxying traffic, or if you have SSH collection capabilities on the edge devices.

VQL — Velociraptor
-- Hunt for web servers spawning shells or network utilities on Linux/IoT
SELECT Pid, Pid, Name, Exe, CommandLine, Parent.Pid AS ParentPid, Parent.Name AS ParentName
FROM pslist()
WHERE Name IN ('sh', 'bash', 'dash', 'python', 'perl', 'nc', 'busybox', 'wget', 'curl')
  AND Parent.Name IN ('java', 'httpd', 'lighttpd', 'goahead', 'mongod', 'unifi')
-- Filter for processes running as root (common for IoT exploitation)
  AND Username = 'root'

Remediation Script (Bash)

Note: Do not run this blindly on production appliances without testing. This script performs containment by blocking external access to the management interfaces via iptables if immediate patching is impossible.

Bash / Shell
#!/bin/bash
# Immediate Containment for Ubiquiti and Lantronix Devices
# Usage: sudo ./contain_iot_device.sh

LOG_FILE="/var/log/iot_containment.log"
echo "Starting containment: $(date)" >> $LOG_FILE

# 1. Flush existing rules (CAUTION: Adjust for your environment to avoid lockout)
# iptables -F INPUT
# iptables -F OUTPUT

# 2. Allow Loopback and Established connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# 3. Block external access to Ubiquiti UniFi Ports (8080, 8443, 8880, 8843)
# Allow only from specific Management Subnets (e.g., 10.10.10.0/24)
MGMT_SUBNET="10.10.10.0/24"

UBIQUITI_PORTS="8080 8443 8880 8843"
LANTRONIX_PORTS="80 443 306 307"

for port in $UBIQUITI_PORTS; do
  iptables -A INPUT -p tcp --dport $port -s $MGMT_SUBNET -j ACCEPT
  iptables -A INPUT -p tcp --dport $port -j DROP
  echo "Dropped external access to Ubiquiti port $port" >> $LOG_FILE
done

# 4. Block external access to Lantronix Web/Config Ports
for port in $LANTRONIX_PORTS; do
  iptables -A INPUT -p tcp --dport $port -s $MGMT_SUBNET -j ACCEPT
  iptables -A INPUT -p tcp --dport $port -j DROP
  echo "Dropped external access to Lantronix port $port" >> $LOG_FILE
done

# 5. Save rules (Debian/Ubuntu)
iptables-save > /etc/iptables/rules.v4

echo "Containment applied. Only $MGMT_SUBNET can access management interfaces." >> $LOG_FILE

Remediation

  1. Patch Immediately:

    • Ubiquiti: Update UniFi OS to the latest available version via the Network Application interface. Check the official Ubiquiti Community Security Advisories for the specific build numbers addressing the CISA KEV entry.
    • Lantronix: Download and apply the latest firmware for PremierWave, Evolution, or Spider devices from the Lantronix support portal.

  2. Network Segmentation: Ensure these devices reside in a dedicated VLAN with no direct internet access. Management interfaces should only be accessible via VPN or jump hosts.

  3. Credential Hygiene: Assume credentials may be compromised. Rotate all admin passwords for UniFi controllers and Lantronix units after patching.

  4. Disable Unused Services: If SSH or Telnet is not required for operations, disable it entirely. Restrict local console access where physically possible.

  5. CISA Deadline: Per Binding Operational Directive (BOD) 22-01, federal agencies have a deadline to patch these vulnerabilities. Private sector organizations should treat this timeline as the maximum acceptable window for remediation.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionubiquitilantronixcisa-kev

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action