Source URL: www.bleepingcomputer.com/news/secu… CISA added actively exploited vulnerabilities affecting Ubiquiti UniFi OS and Lantronix EDS5000 serial-to-Ethernet servers to its Known Exploited Vulnerabilities catalogue and, under BOD 26-04, directed U.S. federal agencies to apply available updates or vendor-recommended mitigations within three days. The Ubiquiti flaws include an access-control bypass, directory/path traversal and improper input validation that could enable command execution, with researchers showing the issues can be chained for full remote code execution on vulnerable UniFi OS devices. The Lantronix issue, CVE-2025-67038, is a critical root-level command-injection flaw in the HTTP RPC module, making urgent patching, exposure review and compensating controls appropriate for organizations running these products.
CISA warns of max-severity Ubiquiti flaws exploited in attacks
Edward Kiledjian
@ekiledjian