A new focus on network infrastructure devices has been drawn after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged several security vulnerabilities in Ubiquiti's UniFi OS platform. Following evidence of active exploitation, the KEV catalog was updated to include these vulnerabilities.
Among the identified vulnerabilities are access control bypass, path traversal, and command injection vulnerabilities, which researchers warn can provide attackers with direct access from unauthenticated access to a complete system compromise. With UniFi OS widely deployed across enterprise, government, and service provider environments to manage networking equipment, the vulnerabilities present a significant threat to administrative control planes and sensitive operational information.
In the latest CISA alert, researchers have demonstrated that Internet-exposed management interfaces present an increased threat, as researchers have demonstrated how these flaws may be chained together to facilitate privileged remote code execution. In response, federal agencies and organizations are urging them to expedite remediation efforts before further exploitation activity occurs.
Inclusions of the KEVs are based on three distinct vulnerabilities that affect UniFi OS, when combined, significantly increases the attack surface of exposed deployments. In this vulnerability, unauthenticated actors have the capability to alter system settings and administrative configurations without authorization as a result of an access control bypass weakness.
The CVE-2026-4909 vulnerability exposes a path traversal condition that is capable of exposing underlying operating system files, potentially revealing credentials, configuration data, and other sensitive information that can be used to carry out further intrusions. As a result of an improper input validation attack, CVE-2026-34910 can be exploited to execute arbitrary operating system commands on targeted devices.
All three vulnerabilities were addressed by Ubiquiti through security updates released in May, noting that exploiting the vulnerabilities does not require prior authorization or elevated privileges, making timely patch deployment critical for organizations using UniFi infrastructure.
Following the analysis, Bishop Fox security researchers have demonstrated that these vulnerabilities are not isolated risks but can be chained together to permit remote code execution on affected systems using privileged privileges.
Using their findings, attackers were able to gain complete control over vulnerable UniFi OS instances by gaining initial unauthorized access, demonstrating how severe this vulnerability is in real-world environments.
Additionally, the researchers published a detection utility to assist defenders in identifying and remediating vulnerable deployments across enterprise networks on GitHub.
In conjunction with the CISA alert, active exploitation concerns have also been raised regarding CVE-2025-67038, a critical root-level command injection vulnerability on Lantronix EDS5000 servers using firmware version 2.1.0.0R3 of Lantronix servers.
Shell commands are invoked as part of the mechanism used to record failed authentication attempts within the device's HTTP RPC component, where the flaw occurs.
During the process of handling user input, improper handling could lead to command injection, making it possible for attackers to execute arbitrary commands with root privileges on the affected system.
By adding the UniFi OS flaws to CISA's Known Exploited Vulnerabilities catalog, the vulnerabilities fall under the remediation requirements of Binding Operational Directive 22-01. According to this directive, federal civilian agencies are required to remediate actively exploited vulnerabilities within prescribed timelines in order to reduce operational risk.
A response has been provided by CISA, which has ordered that agencies rectify CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 by June 26, 2026, while also recommending that organizations in the private sector evaluate their environments against the KEV catalog and prioritize exposed systems that could be exploited in ongoing attacks.
However, reports emerging from community forums and Reddit discussions suggest that threat actors may have weaponized the vulnerabilities before they were disclosed, even though Ubiquiti's security advisories did not explicitly refer to active exploitation.
Researchers believe that rogue accounts were unexpectedly created by administrators using the username “John Sim,” a process researchers believe might have been linked to automated reconnaissance operations targeting unattended UniFi deployments that were accessible via the internet.
The Bishop Fox team conducted a technical analysis of CVE-2026-34908 and CVE-2026-34909 and determined that they could be used as part of an authentication gateway bypass resulting from inconsistencies in the way NGINX interprets specially crafted requests. Through the submission of requests that appear to target authentication-exempt routes, but which normalize into protected internal endpoints, attackers may be able to access backend services normally required to log in.
Research indicates that the bypass can be exploited to trigger CVE-2026-34910, a command injection flaw associated with improper validation of package names during update operations. The researchers validated the bypass against UniFi OS 5.0.6 test environments.
Using shell metacharacters inserted in crafted package parameters and forcing execution through the affected code path, attackers may be able to execute operating system commands without authentication by enforcing shell metacharacters in the package parameters.
This issue goes beyond individual devices.
As outlined by the Centre for Cybersecurity Belgium, UniFi OS platforms provide visibility and control across switches, gateways, wireless networks, and connected assets, acting as central management systems for network infrastructure.
By successfully compromising a system, attackers may be able to harvest credentials, manipulate network configurations, intercept traffic, or advance laterally into broader enterprise environments.
The same urgency has also been applied to CVE-2025-67038, a critical unauthenticated command injection vulnerability affecting Lantronix EDS5000 devices with a CVSS score of 9.8.
Unpatched, the flaw, which was disclosed as part of BRIDGE:BREAK research that uncovered 22 vulnerabilities across Lantronix and Silex products, allows remote command execution with root privileges, posing a comparable risk of complete device compromise.
Among the steps CISA suggests to minimize exposure is following vendor-issued mitigation guidance, implementing an accelerated patch management procedure consistent with BOD 26-04 requirements, and maintaining sufficient logging to support forensic investigations when exploitation is suspected.
The directive requires agencies operating cloud-hosted UniFi environments to comply with cloud-specific provisions, or to discontinue affected services if remediation cannot be completed within the specified timeframe. CISA's latest action reminds us that once vulnerabilities affecting network management platforms become publicly available, they can rapidly transform from technical flaws into high-impact security incidents.
A critical safeguard for enterprise networks remains timely patching, exposure assessment, and continuous monitoring as threat actors continue to target infrastructure components. It is imperative for organizations relying on UniFi OS and other internet-facing management systems to take these findings seriously, ensuring that remediation efforts are paced at a rate that keeps pace with the speed at which attackers operationalize newly discovered vulnerabilities.
