On June 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to the Known Exploited Vulnerabilities catalog (KEV), confirming their active use by threat actors. These include the critical command injection vulnerability CVE-2025-67038 (CVSS 9.8) in Lantronix EDS5000 Series devices, as well as a chain of three vulnerabilities in Ubiquiti UniFi OS that allows full device takeover with a single request. U.S. federal civilian agencies are required to remediate the vulnerabilities by June 26, 2026 — that is, within three days. Organizations using affected equipment must update firmware immediately.
Lantronix EDS5000: command injection via username field
The CVE-2025-67038 vulnerability affects the Lantronix EDS5000 series of industrial serial-to-IP converters (models EDS5008, EDS5016, EDS5032). These devices are widely used in industrial networks, building management systems, and telecommunications infrastructure to connect legacy equipment with serial ports to IP networks.
The root cause lies in the HTTP RPC module, which, upon a failed user authentication attempt, executes a shell command to write logs. The username is directly concatenated with this command without any sanitization. This allows an attacker to inject arbitrary operating system commands via the username parameter. The injected commands are executed with root privileges.
In practical terms, this means that exploitation does not require prior authentication — it is enough to send a specially crafted HTTP request to the device management interface. The CVSS score of 9.8 reflects the triviality of exploitation and the maximum level of impact.
According to researchers, the vulnerability was disclosed by Forescout Research’s Vedere Labs in April 2026 as part of a set of vulnerabilities codenamed BRIDGE:BREAK, which affects serial converters from Lantronix and Silex. An updated firmware version is available on the vendor’s page. At this time, there are no public details about specific campaigns or threat groups exploiting CVE-2025-67038 — CISA has only confirmed the fact of exploitation in the wild.
Ubiquiti UniFi OS: three‑vulnerability chain for root access
In parallel, CISA confirmed active exploitation of three vulnerabilities in Ubiquiti UniFi OS:
- CVE-2026-34908 — improper input validation that allows an attacker with network access to perform command injection;
- CVE-2026-34909 — a path traversal vulnerability that provides access to system files and, as a result, to accounts;
- CVE-2026-34910 — improper access control that allows unauthorized changes to the system.
What makes this particularly dangerous is that these three vulnerabilities form a complete attack chain. According to researchers at Bishop Fox, who published a detailed analysis and a PoC exploit, sequential exploitation of all three vulnerabilities makes it possible to obtain a reverse shell with full root privileges in a single HTTP request without prior authentication.
Ubiquiti released patches for all three vulnerabilities at the end of May 2026. However, according to reports, researchers from Defused Cyber observed this chain being used to deploy mass-distributed malware even before the vulnerabilities were added to the CISA KEV catalog.
Impact assessment
Both sets of vulnerabilities pose a serious threat, but for different reasons.
Lantronix EDS5000 is industrial equipment often deployed in critical infrastructure: energy, transportation, manufacturing. Serial converters are frequently used to connect legacy SCADA and automated process control systems to the network, and these systems themselves typically lack modern security mechanisms. Compromise of such a converter can open a direct path to controlling industrial processes.
Ubiquiti UniFi OS is a platform that manages the network infrastructure of thousands of organizations: routers, access points, switches, and video surveillance cameras. As warned by the Belgian Center for Cybersecurity, UniFi OS devices are often a central element of network architecture, and their compromise can enable lateral movement and takeover of an organization’s entire network. The vulnerabilities affect the confidentiality, integrity, and availability of the targeted devices.
Remediation recommendations
For Lantronix EDS5000 Series:
- Immediately install the latest firmware version from the vendor’s website;
- If an update cannot be applied in the short term, isolate the device’s web management interface from external networks by limiting HTTP RPC access to trusted IP addresses only;
- Review access logs for the web interface for anomalous authentication attempts with non-standard values in the username field (containing shell special characters:
;,|,$(),`); - Conduct a network segmentation audit — serial converters should not be accessible from the internet.
For Ubiquiti UniFi OS:
- Update UniFi OS to the version specified in Ubiquiti security advisory SAB-064;
- Given the existence of a public PoC and confirmed exploitation, the update priority is critical;
- Check devices for signs of compromise: unusual processes, unauthorized accounts, configuration changes;
- Restrict access to the UniFi OS management interface from external networks until the update is installed.
The three-day remediation deadline set by CISA for federal agencies reflects the exceptional urgency of the situation. For CVE-2025-67038 in Lantronix EDS5000, this is unauthenticated command execution with root privileges via a single HTTP request; for the UniFi OS vulnerability chain, it is a publicly available exploit already being used to distribute malware. Organizations using any of the affected devices should treat patch deployment as a top-priority task for the next 24–48 hours.
