CISA KEV Alert: Four Actively Exploited Vulnerabilities Demand Immediate Action
Lantronix EDS5000 and Ubiquiti UniFi OS flaws are in active exploitation — here's what your security team must do in the next 30 days
Published 2026-06-24
# CISA KEV Alert: Four Actively Exploited Vulnerabilities Demand Immediate Action
On June 23, 2026, CISA updated its Known Exploited Vulnerabilities (KEV) Catalog with four new entries — including a code injection flaw in Lantronix EDS5000 and three separate weaknesses in Ubiquiti UniFi OS — all confirmed as active attack vectors against real-world targets.
What the Advisory Actually Says
CISA's KEV Catalog is not a theoretical watchlist. Every entry represents a vulnerability with confirmed, evidence-based active exploitation. The four additions are:
- CVE-2025-67038 — Lantronix EDS5000 Code Injection Vulnerability
- CVE-2026-34908 — Ubiquiti UniFi OS Improper Access Control Vulnerability
- CVE-2026-34909 — Ubiquiti UniFi OS Path Traversal Vulnerability
- CVE-2026-34910 — Ubiquiti UniFi OS Improper Input Validation Vulnerability
Under Binding Operational Directive (BOD) 26-04, federal civilian agencies are legally required to remediate KEV entries within defined deadlines. But the operational reality is broader: these same device families — serial device servers and network infrastructure controllers — are deployed widely across critical infrastructure, healthcare, finance, and enterprise environments.
Lantronix EDS5000 devices are commonly used for OT/IoT serial-to-IP bridging. Ubiquiti UniFi OS underpins a massive installed base of enterprise Wi-Fi, switching, and gateway hardware. A path traversal or improper access control flaw on a network controller is not a minor inconvenience — it is a potential pivot point into your entire internal network.
Why This Matters Beyond Federal Networks
If your organization operates under NIS2, SOC 2, ISO 27001, HIPAA, or PCI DSS, active KEV entries on your network create direct compliance exposure:
- NIS2 requires essential and important entities to apply security patches without undue delay and to report significant incidents within 24–72 hours.
- SOC 2 auditors will scrutinize vulnerability management timeliness — an unpatched KEV entry during an audit window is a finding.
- ISO 27001:2022 Annex A.8.8 mandates management of technical vulnerabilities; KEV entries set the bar for what known means.
- PCI DSS v4.0 Requirement 6.3 requires organizations to protect all system components from known vulnerabilities by installing applicable security patches.
- HIPAA Security Rule risk analysis obligations require covered entities to assess and remediate threats to ePHI — network infrastructure flaws qualify.
Ignoring a KEV entry is no longer a defensible position under any of these frameworks.
What Your Team Should Do in the Next 7–30 Days
Within 7 days:
- Audit your asset inventory for Lantronix EDS5000 devices and any Ubiquiti UniFi OS-based hardware (controllers, gateways, switches).
- Isolate affected devices from sensitive network segments where patching cannot be immediate.
- Check vendor advisory pages for available patches and apply them under your emergency change process.
Within 30 days:
- Run a full vulnerability scan against your network perimeter and internal segments and cross-reference results against the full KEV Catalog.
- Document remediation actions with timestamps — this evidence is essential for NIS2 incident logs, SOC 2 evidence packages, and PCI DSS assessments.
- Update your risk register and formally close or accept (with sign-off) each KEV-related finding.
- Review your detection rules to ensure your SIEM or SOC tooling is alerting on exploitation indicators related to these CVE classes.
Start a 14-Day Trial of RDS GoSOC AI — Every Feature Unlocked
RDS GoSOC AI maps your vulnerability and compliance posture across all 16 frameworks simultaneously — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS — so a single KEV alert automatically surfaces which controls are at risk across every framework you're accountable to. Start your 14-day free trial at platform.reremrdsgosoc.com/register — no credit card required, every paid feature fully unlocked from day one. Once inside, open the User Guide tab for a structured walkthrough, and ask Sage (the platform's AI assistant) any setup or compliance mapping question you have — it's built specifically for this kind of rapid-response scenario.