Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Ubiquiti UniFi OS actively exploited access control bypass, traversal, and RCE flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 43
1 unique sources, 1 articles

Summary

Hide ▲

Ubiquiti UniFi OS now has three actively exploited CVEs that can let attackers make unauthorized changes, expose sensitive files, and reach remote code execution on vulnerable devices. CISA added CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to its Known Exploited Vulnerabilities catalog after warning of active abuse. Ubiquiti released fixes in May, and the flaws were described as remotely exploitable without privileges. Researchers at Bishop Fox later showed the issues could be chained into full system compromise, raising urgency for patching and mitigation.

Related Happenings

CISA updates KEV entry for CVE-2026-1731

Public Sector Action
H score36 First: 20.02.2026 17:45 Last: 20.02.2026 17:45 Sources 1

About this happening: **CISA** updated its **KEV catalog** entry for **CVE-2026-1731**, confirming the flaw has been used in **ransomware campaigns** and elevating its government-tracked risk. The upda...

Open Happening

CISA adds four actively exploited flaws to KEV with FCEB deadlines

Public Sector Action
H score35 First: 13.02.2026 10:34 Last: 13.02.2026 10:34 Sources 1

About this happening: CISA added **four vulnerabilities** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**, putting **FCEB agencies** on a forced remed...

Open Happening

Timeline

  1. 24.06.2026 17:35 2 articles · 3h ago

    CISA warns of active exploitation in Ubiquiti UniFi OS flaws and Lantronix EDS5000 servers

    Initial Disclosure

    CISA warns that hackers are actively exploiting three Ubiquiti UniFi OS CVEs—CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910—and CVE-2025-67038 on Lantronix EDS5000 serial-to-ethernet servers. Under BOD 26-04, federal agencies have three days to apply available security updates or vendor-recommended mitigations, Ubiquiti says fixes for the three UniFi OS flaws were released in May, Lantronix recommends upgrading EDS5000 to 2.2.0.0R1, and Bishop Fox later showed the Ubiquiti flaws can be chained for full remote code execution with elevated privileges.

    Show sources
    Open in new tab