Ethical Hacking News
U.S. CISA adds Ubiquiti UniFi OS and Lantronix EDS5000 plugin flaws to its Known Exploited Vulnerabilities catalog, highlighting the ongoing threat of network exploitation and emphasizing the importance of swift action in addressing these vulnerabilities to protect network security.
U.S. CISA has added Ubiquiti UniFi OS and Lantronix EDS5000 plugin flaws to its Known Exploited Vulnerabilities (KEV) catalog. CVE-2025-67038 is a code injection vulnerability in the Lantronix EDS5000 that allows an attacker to execute arbitrary OS commands with root privileges. CVE-2026-34908 is an improper access control vulnerability in Ubiquiti UniFi OS devices that can be exploited by a malicious actor with network access. Federal agencies have until June 26, 2026, to address these vulnerabilities to protect their networks against attacks exploiting the flaws in the catalog.
Cybersecurity agencies around the world are constantly on high alert when it comes to identifying potential vulnerabilities in network systems, software, and hardware that could be exploited by malicious actors. In recent times, U.S. CISA (Cybersecurity and Infrastructure Security Agency) has taken notice of several critical vulnerabilities in various network devices that need immediate attention.
Recently, U.S. CISA added Ubiquiti UniFi OS and Lantronix EDS5000 plugin flaws to its Known Exploited Vulnerabilities (KEV) catalog. This move is part of the agency's efforts to inform federal agencies about known exploited vulnerabilities and encourage them to take swift action to patch these weaknesses before they can be exploited by malicious actors.
The two main vulnerabilities added to the KEV catalog are:
- CVE-2025-67038, a code injection vulnerability in the Lantronix EDS5000 that exists due to the HTTP RPC module failing to sanitize the username parameter. This allows an attacker to execute arbitrary OS commands with root privileges.
- CVE-2026-34908, an improper access control vulnerability in Ubiquiti UniFi OS devices that can be exploited by a malicious actor with network access to make unauthorized changes to the system.
These vulnerabilities are rated as high-severity threats to network security. According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies have to address these identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Known Exploited Vulnerabilities catalog and address the vulnerabilities in their infrastructure as soon as possible. U.S. CISA orders federal agencies to urgently fix these vulnerabilities by June 26, 2026.
This development highlights the ever-evolving threat landscape of network security. The rapid identification and reporting of such vulnerabilities is crucial for preventing potential data breaches and attacks on networks. Organizations must stay vigilant and proactive in addressing these vulnerabilities to minimize their exposure to cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/US-CISA-Adds-Ubiquiti-UniFi-OS-and-Lantronix-EDS5000-Plugin-Flaws-to-Its-Known-Exploited-Vulnerabilities-Catalog-A-Growing-Concern-for-Network-Security-ehn.shtml
https://securityaffairs.com/194142/security/u-s-cisa-adds-ubiquiti-unifi-os-and-lantronix-eds5000-plugin-flaws-to-its-known-exploited-vulnerabilities-catalog.html
https://nvd.nist.gov/vuln/detail/CVE-2025-67038
https://www.cvedetails.com/cve/CVE-2025-67038/
https://nvd.nist.gov/vuln/detail/CVE-2026-34908
https://www.cvedetails.com/cve/CVE-2026-34908/
Published: Wed Jun 24 05:13:30 2026 by llama3.2 3B Q4_K_M
