CISA added four vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 devices to its Known Exploited Vulnerabilities catalog after reports of active exploitation. The Ubiquiti issues—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—are all rated CVSS 10.0 and were patched in UniFi OS Server version 5.0.8. Researchers said CVE-2026-34908 and CVE-2026-34909 involve an NGINX authentication gateway bypass that can be chained with CVE-2026-34910, an improper input validation flaw, to achieve unauthenticated command injection and unauthorized system changes. Users reported apparent zero-day exploitation that created rogue administrator accounts named "John Sim" during automated reconnaissance.
CISA also added CVE-2025-67038 in the Lantronix EDS5000, an HTTP RPC username sanitization flaw that can allow arbitrary OS command execution with root privileges. Because UniFi OS devices centrally manage network infrastructure, successful compromise could give attackers a path for broader lateral movement inside enterprise environments. CISA directed federal agencies to remediate the newly listed flaws under binding directives, with deadlines including June 26, 2026 for the affected systems, and urged organizations beyond government to review the KEV catalog and patch exposed devices promptly.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Forescout Research’s Vedere Labs reported that attackers exploited CVE-2025-67038 in Lantronix EDS5000 devices after a vendor patch was released but before public disclosure, suggesting likely patch reverse engineering. The researchers linked the activity to a broader cluster they track as Chaya_006 and described the behavior as targeted and automated.
Forescout publicly disclosed CVE-2025-67038 in April 2026 as part of its BRIDGE:BREAK research on 20 vulnerabilities affecting Lantronix and Silex serial-to-IP products. The research warned that flaws in this device class could enable command execution and disruption or manipulation in industrial and healthcare environments.
Bishop Fox reported that CVE-2026-34908 and CVE-2026-34909 involve an NGINX authentication gateway bypass using crafted requests. It said those flaws can be chained with CVE-2026-34910 to achieve unauthenticated command injection.
Users reported that the three critical UniFi OS vulnerabilities had already been exploited in the wild, likely as zero-days. The activity reportedly created rogue administrator accounts named 'John Sim' and appeared to be automated reconnaissance.
Following the KEV additions, CISA directed federal agencies to remediate the affected systems under binding directives. One report says FCEB agencies were given a deadline of June 26, 2026, while another says agencies were ordered to patch the Ubiquiti flaws within three days.
CISA added CVE-2026-34908, CVE-2026-34909, CVE-2026-34910, and CVE-2025-67038 to its Known Exploited Vulnerabilities catalog, citing active exploitation risk. The additions covered Ubiquiti UniFi OS and the Lantronix EDS5000 plugin.
Beazley Security reported that active exploitation of CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 included Mirai/Gaafgyt botnet activity targeting externally exposed UniFi OS web interfaces, especially on TCP 11443. The advisory said attackers chained the nginx authentication bypass and package-update command injection flaws, then escalated to root via passwordless sudo permissions on sensitive binaries such as dpkg.
Ubiquiti patched CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 in UniFi OS Server version 5.0.8. SecurityWeek states the fixes were released on May 21, 2026.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
11 references tracked. Mallory keeps watching after this page renders.
itpro.com
Open sourcesecurityweek.com
Open sourcecysecurity.news
Open sourcethehackernews.com
Open sourcelabs.beazley.security
Open sourcebleepingcomputer.com
Open sourcecisa.gov
Open sourcecve.org
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.