CISA adds Lantronix EDS5000, UniFi OS CVEs to KEV
Three entries hit the same UniFi OS line, which makes this a platform exposure problem for federal networks.
TL;DR
CISA added CVE-2025-67038 in Lantronix EDS5000 and three Ubiquiti UniFi OS flaws, CVE-2026-34908, CVE-2026-34909 and CVE-2026-34910, to the Known Exploited Vulnerabilities (KEV) Catalog. Binding Operational Directive (BOD) 26-04 requires Federal Civilian Executive Branch (FCEB) agencies to prioritize rapid remediation of high-risk KEV items on publicly exposed assets; the alert gives no item-specific deadline. Contractors, managed service providers and Cybersecurity Maturity Model Certification (CMMC) third-party assessors supporting federal environments should triage UniFi OS first.
CISA’s June 23 alert is a short Known Exploited Vulnerabilities (KEV) update with one useful signal: three of the four entries hit Ubiquiti UniFi OS. The additions are CVE-2025-67038, a Lantronix EDS5000 code injection vulnerability, plus CVE-2026-34908 improper access control, CVE-2026-34909 path traversal and CVE-2026-34910 improper input validation in UniFi OS. CISA says each was added based on evidence of active exploitation. For Federal Civilian Executive Branch (FCEB) agencies, Binding Operational Directive (BOD) 26-04 requires rapid remediation of high-risk CVEs in KEV on publicly exposed assets where exploitation grants total control of the affected asset. The alert says BOD 26-04 applies only to FCEB agencies and gives no CVE-specific remediation deadline. Contractors, managed service providers and Cybersecurity Maturity Model Certification (CMMC) third-party assessors still have the practical Monday job: find exposed UniFi OS and Lantronix EDS5000 assets, patch or mitigate, and keep proof ready for federal customers.
Published ·Deep Fathom