CISA Flags Four Already-Exploited Bugs in Ubiquiti and Lantronix Gear. Agencies Have Until Friday.

CISA added four security flaws to its Known Exploited Vulnerabilities catalog on June 23, and gave federal agencies until June 26 to fix them. That is three days. The flaws sit in two kinds of boxes most people never think about: Ubiquiti UniFi OS gear, the networking equipment in a lot of small offices and home labs, and Lantronix EDS5000 serial-to-IP converters, the unglamorous adapters that put old serial equipment on a network in factories and utilities.

All four are already being exploited. CISA does not add anything to this list on a hunch. A vulnerability lands there when the agency has evidence it is being attacked in the real world.

The Lantronix bug is a textbook command injection

Start with the Lantronix flaw, CVE-2025-67038, because it is the kind of bug that should not exist in 2026. CVSS 9.8.

Here is the mechanism. When a login fails on an EDS5000, the device's HTTP RPC module writes a log entry, and to do that it runs a shell command. The username you typed gets pasted straight into that command. From the CVE description: "The username is directly concatenated with the command without any sanitization." So you put operating system commands in the username field instead of a name, and the box runs them. "Injected commands are executed with root privileges."

That is it. No memory corruption, no exploit chain, no race condition. You type a command where a name goes, and it runs as root. Forescout's Vedere Labs disclosed it in April as part of a batch of serial-to-IP converter bugs they called BRIDGE:BREAK. Lantronix shipped a fix. The exposed firmware is 2.1.0.0R3, and the patched build is 2.2.0.0R1.

The Ubiquiti flaws chain to root with no login

The other three, CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910, are all maximum severity, and they are more interesting because they only get dangerous when you use them together. There is an input-validation flaw that allows command injection, a path traversal bug (CVE-2026-34909) that reads files off the underlying system, and an access-control bypass that lets an unauthenticated attacker change the system. Individually, annoying. Linked in sequence, they hand over the device.

Bishop Fox demonstrated exactly that. The firm published a proof-of-concept that chains the three into a reverse shell with full root, in a single request, with no authentication. Ubiquiti patched all three late last month. After that, Defused Cyber reported seeing the chain used in the wild to drop commodity malware, which is the point at which CISA put it on the list.

UniFi OS gear is usually wired into the center of whatever network it is on, so a box that gets popped is rarely the end of it. Belgium's Centre for Cybersecurity put the consequence plainly: "successful compromise could enable lateral movement and broader network compromise."

These are n-day bugs, not zero-days

Worth being precise about what this is and is not. Every one of these four had a patch available before it showed up on the exploited list. Lantronix and Ubiquiti both shipped fixes weeks ago. The attacks came after. That is the n-day pattern: a vendor publishes a fix, attackers read the fix to understand the bug, and then they go hunting for the large number of devices that never got updated. Network appliances and industrial adapters are exactly the gear that sits on a shelf running whatever firmware it shipped with.

What CISA has not said is who is doing the exploiting or how widely. The "use in ransomware campaigns" field is marked Unknown for all four. So this is not a reason to panic, and nobody has tied it to a named group. It is a reason to patch the specific versions, today if you run them.

If you manage UniFi gear, Bishop Fox also published a free detection script that finds vulnerable instances. The three-day federal clock is a compliance deadline for government agencies, but the exploitation it is responding to does not check whether you work for the government.