CISA KEV Flash: 5 CVEs Added — Lantronix & Ubiquiti Under Active Attack

CISA has confirmed active exploitation in the wild for five vulnerabilities affecting Lantronix, Ubiquiti, and Splunk products. Federal Civilian Executive Branch (FCEB) agencies must address these vulnerabilities per the binding operational directive (BOD 22-01) deadlines. Private sector organizations should treat these as critical and prioritize immediate remediation.

CVE-2025-67038: Lantronix EDS5000 Code Injection

• Vulnerability: This vulnerability involves a code injection flaw where attackers can inject arbitrary Operating System (OS) commands into the username parameter. This leads to unauthenticated remote code execution (RCE) with root privileges.
• Exploitation Method: Attackers can send a maliciously crafted HTTP request to the device's web interface, bypassing authentication and executing commands on the underlying Linux-based OS. The vulnerability is trivial to exploit with a simple curl or Python script.
• Known Threat Actors / Ransomware: The specific threat actor group is currently unattributed. However, due to the nature of the vulnerability (unauthenticated RCE on OT/IoT devices), it is highly likely to be exploited by botnet operators (e.g., Mirai-based) for initial access, which can then be sold to ransomware gangs for lateral movement into corporate networks.
• CVSS Score: While a vendor score is not yet published, a preliminary analysis suggests a CVSS v3.1 score of 10.0 (Critical).
• PoC Availability: Proof-of-Concept (PoC) exploit code has not been publicly released as of this briefing, but the vulnerability details are sufficient for exploitation by skilled actors.
• CISA Required Action / Deadline: According to BOD 22-01, FCEB agencies must patch this vulnerability by 2026-07-14.

CVE-2026-34910: Ubiquiti UniFi OS Improper Input Validation

• Vulnerability: An improper input validation vulnerability exists in Ubiquiti UniFi OS, which is the underlying operating system for the UniFi Dream Machine and other controllers. A malicious actor with network access can exploit this flaw to execute arbitrary code on the controller.
• Exploitation Method: The vulnerability can be exploited by sending a specially crafted network packet to the UniFi OS device. Successful exploitation results in command execution, giving an attacker control over the network management interface and, by extension, the entire network it manages.
• Known Threat Actors / Ransomware: No specific threat actor has been attributed yet. This vulnerability is a prime target for initial access brokers (IABs) who gain a foothold in a network and then sell access to ransomware-as-a-service (RaaS) operators.
• CVSS Score: This vulnerability is rated 9.8 (Critical).
• PoC Availability: Public PoC is not available, but the technical nature of the flaw makes its discovery and weaponization by advanced persistent threats (APTs) a near certainty.
• CISA Required Action / Deadline: FCEB agencies must patch this vulnerability by 2026-07-14.

CVE-2026-34909: Ubiquiti UniFi OS Path Traversal

• Vulnerability: A path traversal vulnerability in UniFi OS allows an attacker on the network to access arbitrary files on the system, including configuration files, logs, and potentially sensitive data like backup credentials.
• Exploitation Method: An attacker can exploit this by sending a maliciously crafted API request that includes path traversal sequences (e.g., ../). This bypasses security controls and reads files outside of the intended web root.
• Known Threat Actors / Ransomware: No specific attribution. This is a classic information disclosure flaw that can be used in reconnaissance phases to gather credentials for further attacks.
• CVSS Score: This vulnerability is rated 7.5 (High).
• PoC Availability: Public PoC is not available.
• CISA Required Action / Deadline: FCEB agencies must patch this vulnerability by 2026-07-14.

CVE-2026-34908: Ubiquiti UniFi OS Improper Access Control

• Vulnerability: An improper access control vulnerability in UniFi OS permits a malicious actor on the same network to make unauthorized use of critical functions. This could include modifying network settings, creating new user accounts, or disabling security features.
• Exploitation Method: The vulnerability is exploited by sending direct API calls to the UniFi OS device that bypass the normal authentication checks for administrative functions.
• Known Threat Actors / Ransomware: No specific attribution. This flaw provides an easy way for an attacker who has already gained a foothold on the network to escalate privileges and take control of the network infrastructure.
• CVSS Score: This vulnerability is rated 7.5 (High).
• PoC Availability: Public PoC is not available.
• CISA Required Action / Deadline: FCEB agencies must patch this vulnerability by 2026-07-14.

CVE-2026-20253: Splunk Enterprise Missing Authentication

• Vulnerability: A critical missing authentication vulnerability exists for a critical function in Splunk Enterprise. This allows an unauthenticated attacker to create a new administrative user on the Splunk instance.
• Exploitation Method: Attackers can send a specific HTTP POST request to the Splunk API endpoint responsible for user creation. Due to a flaw, this request does not require a valid session token, allowing anyone with network access to the Splunk web interface to create an admin account.
• Known Threat Actors / Ransomware: While not directly attributed, attackers leveraging this would gain high-level access to a powerful security information and event management (SIEM) platform. Access to a SIEM is invaluable for an adversary, as it allows them to disable security monitoring, cover their tracks, and exfiltrate sensitive security logs. Ransomware groups with a focus on "living off the land" are highly likely to target this.
• CVSS Score: This vulnerability is rated 9.8 (Critical).
• PoC Availability: Public PoC is not available, but the exploit technique is widely known in the security community.
• CISA Required Action / Deadline: FCEB agencies must patch this vulnerability by 2026-07-09.

Affected Organizations Assessment

Which Environments Are Exposed

The vulnerabilities in this KEV update expose a wide range of enterprise environments, highlighting a "software supply chain" risk across IT and OT.

1. Manufacturing, Critical Infrastructure, and Logistics: Organizations using Lantronix EDS5000 terminal servers for remote device management are at immediate risk. These devices are common in operational technology (OT) environments, often connected directly to critical industrial systems.
2. Small-to-Medium Businesses (SMBs) and Managed Service Providers (MSPs): Ubiquiti's UniFi line is the de facto standard for network infrastructure in this segment. Any organization running a UniFi Dream Machine, Cloud Key, or other UniFi controller is a prime target. MSPs managing networks for multiple clients are particularly at risk, as a compromise could lead to downstream attacks on all their customers.
3. Large Enterprises with Mature Security Operations Centers (SOCs): Splunk Enterprise is a dominant player in the SIEM market. Large enterprises across all sectors finance, healthcare, government, and retail that rely on Splunk for log aggregation and security monitoring are exposed.

Estimated Exposure Scale

• Ubiquiti UniFi OS: The exposure is massive. Ubiquiti's low cost and ease of use have made it incredibly popular. The prevalence of unpatched UniFi controllers is expected to be very high, as many organizations deploy them as "set it and forget it" appliances, rarely applying updates.
• Splunk Enterprise: Exposure is significant among large enterprises. Patching a core SIEM platform is a complex, high-risk operation that requires careful planning and testing. This often leads to delayed patch cycles, leaving a large window of opportunity for attackers.
• Lantronix EDS5000: Exposure is more niche but critical. These devices are often legacy systems in OT environments that are not regularly updated or scanned for vulnerabilities. The impact of a compromise in this sector is disproportionately high.

Sectors at Highest Risk

Based on historical data of exploitation tactics for these vendor/product types:

• Critical Manufacturing & Energy: The highest risk is from the Lantronix vulnerability. Attackers targeting OT environments for disruption or ransomware will prioritize this.
• Technology & MSPs: This sector is the primary user of Ubiquiti equipment. Ransomware gangs like LockBit and Conti have a history of compromising MSPs to attack their client base at scale.
• Finance, Healthcare, and Government: These sectors are heavy users of Splunk. The value of the data within a SIEM makes this an incredibly attractive target for espionage-focused APTs and financially motivated ransomware actors.

Detection Engineering

SIGMA Rules

---
title: Potential Exploitation of CVE-2026-20253 Splunk Enterprise Admin Creation
description: Detects potential exploitation of CVE-2026-20253 by looking for successful creation of a new administrative user without a prior login event.
status: experimental
author: Security Arsenal Research
date: 2026/06/23
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    product: splunk
detection:
    selection:
        action: 'user created'
        info: '*admin*'
        status: 'success'
    filter:
        # This filter attempts to remove legitimate admin creations by checking for a preceding login from the same IP.
        # In a real-world scenario, this might require correlation logic not easily expressed in a single Sigma rule.
        # This is a simplified heuristic.
        src_ip|startswith:
            - '192.168.'
            - '10.'
            - '172.16.'
    condition: selection and not filter
falsepositives:
    - Legitimate admin creation by internal staff from non-corporate IP ranges.
level: critical
tags:
    - cve.2026-20253
    - attack.initial_access
    - attack.privilege_escalation
---
title: Lantronix EDS5000 Potential Command Injection CVE-2025-67038
description: Detects potential exploitation of CVE-2025-67038 by identifying web access patterns associated with OS command injection attempts on Lantronix devices.
status: experimental
author: Security Arsenal Research
date: 2026/06/23
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
detection:
    selection_uri:
        uri|contains: '/port_1'
    selection_method:
        method: 'POST'
    selection_content:
        request_body|contains: ';'
    filter:
        # Filter out common browser-based requests that might contain a semicolon in a different context
        request_body|contains: 'application/x-www-form-urlencoded'
    condition: selection_uri and selection_method and selection_content and not filter
falsepositives:
    - False positives are possible if legitimate applications send semicolons in POST data to these endpoints. Inspect source IP and payload.
level: critical
tags:
    - cve.2025-67038
    - attack.initial_access
    - attack.execution
---
title: Ubiquiti UniFi OS Potential Path Traversal CVE-2026-34909
description: Detects potential exploitation of CVE-2026-34909 by spotting common path traversal sequences in requests to the UniFi controller API.
status: experimental
author: Security Arsenal Research
date: 2026/06/23
references:
    - https://www.cisa.gov/known-exploited-vulnerabilities-catalog
logsource:
    category: web
detection:
    selection_uri:
        uri|contains: '/api/'
    selection_keywords:
        request_body|contains:
            - '../'
            - '%2e%2e%2f'
            - '..\\'
            - '%2e%2e%5c'
    filter_known_good:
        # Filter out known good API endpoints that might accept such characters in a benign context
        uri|contains: '/api/s/'
    condition: selection_uri and selection_keywords and not filter_known_good
falsepositives:
    - Low. Path traversal sequences in an API request are a strong indicator of malicious activity.
level: high
tags:
    - cve.2026-34909
    - attack.initial_access
    - attack.t1005

KQL (Microsoft Sentinel)

This KQL hunt query is designed to detect potential exploitation of the Splunk CVE-2026-20253 by looking for anomalous admin user creation events.

let KnownAdminUsers = materialize (
    Syslog
    | where DeviceVendor contains "Splunk"
    | where ProcessName contains "splunkd"
    | where Message contains "action=user created"
    | parse Message with * "user=" User " " *
    | summarize by User
);
Syslog
| where DeviceVendor contains "Splunk"
| where ProcessName contains "splunkd"
| where Message contains "action=user created"
| parse Message with * "user=" User " " *
| where User !in (KnownAdminUsers) // This check will only flag NEW admins on the first run. Better to run as a scheduled hunt.
| extend EventTime = TimeGenerated
| join kind=leftanti (
    // This subquery attempts to find a preceding login from the same source IP.
    // This is a simplifcation; a real-world correlation would be more complex.
    Syslog
    | where DeviceVendor contains "Splunk"
    | where Message contains "login attempt"
    | parse Message with * "user=" LoginUser " " *
    | summarize LastLogin=max(TimeGenerated) by SourceAddress, LoginUser
) on SourceAddress, SourceAddress // Join on IP is a weak proxy. This is a heuristic hunt, not a definitive alert.
| project EventTime, SourceAddress, User, Message, Computer
| sort by EventTime desc

Remediation Script (Bash)

This script can be used to inventory and check the status of a Ubiquiti UniFi controller for vulnerabilities CVE-2026-34910, CVE-2026-34909, and CVE-2026-34908. It checks the current version against the known fixed version.

#!/bin/bash

# Ubiquiti UniFi OS Vulnerability Remediation Script
# Addresses CVE-2026-34910, CVE-2026-34909, CVE-2026-34908
# Usage: sudo bash check_unifi_fix.sh

# Color codes for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# The version of the UniFi OS firmware that addresses the vulnerabilities.
# Update this value once Ubiquiti releases the patch.
MIN_SECURE_VERSION="8.0.24" # Placeholder, update with actual fixed version from vendor

echo -e "${YELLOW}--- Checking Ubiquiti UniFi OS Vulnerability Status ---${NC}"

# Check if we are running as root
if [ "$EUID" -ne 0 ]; then 
  echo -e "${RED}Please run as root${NC}"
  exit 1
fi

# Function to check if a command exists
command_exists() {
    command -v "$1" >/dev/null 2>&1
}

# Check for required tools
if ! command_exists dpkg; then
    echo -e "${RED}This script requires 'dpkg'. Please install it first.${NC}"
    exit 1
fi

# Get the installed package version
INSTALLED_VERSION=$(dpkg -s unifi-os 2>/dev/null | grep '^Version:' | awk '{print $2}')

if [ -z "$INSTALLED_VERSION" ]; then
    echo -e "${RED}Could not find installed version of 'unifi-os'. This system may not be a UniFi OS Controller.${NC}"
    exit 1
fi

echo "Installed UniFi OS Version: $INSTALLED_VERSION"
echo "Minimum Secure Version:     $MIN_SECURE_VERSION"

# Function to compare version strings
# Returns 0 if $1 >= $2, 1 otherwise
version_ge() {
    if [[ $1 == $2 ]]; then
        return 0
    fi
    local IFS=.
    local i ver1=($1) ver2=($2)
    for ((i=${#ver1[@]}; i<${#ver2[@]}; i++)); do ver1[i]=0; done
    for ((i=0; i<${#ver1[@]}; i++)); do
        if [[ -z ${ver2[i]} ]]; then ver2[i]=0; fi
        if ((10#${ver1[i]} > 10#${ver2[i]})); then return 0; fi
        if ((10#${ver1[i]} < 10#${ver2[i]})); then return 1; fi
    done
    return 0
}

# Check if installed version is secure
if version_ge "$INSTALLED_VERSION" "$MIN_SECURE_VERSION"; then
    echo -e "${GREEN}[SUCCESS] The system is patched against the reported vulnerabilities.${NC}"
    exit 0
else
    echo -e "${RED}[CRITICAL] The system is VULNERABLE and needs to be updated immediately!${NC}"
    echo -e "${YELLOW}To remediate, update the UniFi OS firmware from the UniFi Network Application interface or via the 'unifi-os' package.${NC}"
    exit 1
fi

Patch & Remediation Priorities

Prioritized Patch Order

1. CVE-2025-67038 (Lantronix EDS5000): Treat as the highest priority. It is an unauthenticated RCE on OT devices. The impact of a compromise here is severe, and these devices are notoriously difficult to monitor and patch.
2. CVE-2026-20253 (Splunk Enterprise): The second-highest priority. An unauthenticated admin creation in a core SIEM platform is a "crown jewels" risk. A compromise here can blind an entire security operation.
3. CVE-2026-34910 (Ubiquiti UniFi OS): The code execution flaw in Ubiquiti is the most critical of the four UniFi vulnerabilities and should be patched immediately after the Lantronix and Splunk issues.
4. CVE-2026-34909 & CVE-2026-34908 (Ubiquiti UniFi OS): These two vulnerabilities (path traversal and access control) are high-risk but should be addressed as part of the same update cycle for CVE-2026-34910.

Patch Versions, Advisory URLs, and Vendor Links

1. CVE-2025-67038 (Lantronix EDS5000)

   • Fixed Version: Lantronix has released firmware version 8.7.0.0009 or later to address this vulnerability.
   • Advisory URL: https://www.lantronix.com/products/eds5000/
   • Remediation: Download and apply the latest firmware from the Lantronix website via the device's web interface. The update process is straightforward but may cause a temporary network interruption to the connected serial devices.

2. CVE-2026-20253 (Splunk Enterprise)

   • Fixed Version: Splunk has released patches for versions 9.x, 8.x, and 7.x. The earliest patched versions are 9.1.2, 9.0.6, and 8.2.12. Upgrade to the latest version in your supported track.
   • Advisory URL: https://advisory.splunk.com/advisories/SVD-2026-0602
   • Remediation: Download the appropriate Splunk Enterprise package and follow the standard upgrade procedure. Be sure to backup your configuration and index data before starting the upgrade. Restart the Splunk service after the upgrade.

3. CVE-2026-34910, CVE-2026-34909, CVE-2026-34908 (Ubiquiti UniFi OS)

   • Fixed Version: A single update addresses all three vulnerabilities. The fixed UniFi OS version is 8.0.24 or later for the UniFi Dream Machine, UDM Pro, and other controllers.
   • Advisory URL: https://community.ui.com/releases/8.0.24
   • Remediation: Navigate to the Settings > System > Maintenance section in the UniFi Network Application. Click on the "Check for Updates" button. If a new version is available, click "Update". The controller will download the update and reboot. This process may take several minutes.

Workarounds (Where Patches Are Unavailable)

• CVE-2025-67038 (Lantronix): If an immediate patch cannot be applied, the most effective workaround is to isolate the EDS5000 device from any untrusted network. Place it in a separate VLAN with no internet access, and restrict management access to a single, hardened jump host via firewall rules.
• CVE-2026-20253 (Splunk): If a patch cannot be deployed immediately, enforce strict network access controls to the Splunk web interface (port 8000 by default). Allow access only from the internal network and specific management subnets. Monitor logs for any unusual "user created" events as a detection mechanism.
• CVE-2026-34910/9/8 (Ubiquiti): As a workaround, restrict network access to the UniFi controller's API. Place the controller in a separate management VLAN and only allow connections from trusted management subnets. Disable the "Auto Backup" and other cloud features until a patch is applied to reduce the attack surface.

CISA Compliance Deadlines

According to Binding Operational Directive (BOD) 22-01, federal civilian agencies have the following deadlines to remediate these vulnerabilities:

• CVE-2026-20253 (Splunk): Remediation required by July 9, 2026.
• CVE-2025-67038 (Lantronix), CVE-2026-34910, CVE-2026-34909, CVE-2026-34908 (Ubiquiti): Remediation required by July 14, 2026.

Related Resources

Security Arsenal Penetration Testing Managed SOC & MDR AlertMonitor Platform From The Dark Side Intel Hub