CISA Warns of Active Exploitation of Critical Lantronix EDS5000 Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning on Tuesday that a critical security flaw in Lantronix EDS5000 Series serial-to-IP converters is being actively exploited in the wild, giving Federal Civilian Executive Branch (FCEB) agencies until June 26, 2026, to apply patches. The vulnerability, tracked as CVE-2025-67038, carries a maximum CVSS score of 9.8 and is a code injection flaw rooted in the device's HTTP RPC module. According to the CVE description, the module concatenates the username parameter directly into a shell command without sanitization whenever authentication fails, allowing attackers to inject arbitrary OS commands that execute with root privileges. The flaw was originally disclosed by Forescout Vedere Labs in April 2026 as part of the broader BRIDGE:BREAK research initiative targeting Lantronix and Silex serial-to-IP converters. Network administrators managing exposed industrial or IoT infrastructure can use a port scanner to identify EDS5000 devices on their perimeter and assess exposure.

In a related disclosure, CISA also confirmed active exploitation of three maximum-severity vulnerabilities in Ubiquiti UniFi OS devices, just days after researchers at Defused Cyber observed in-the-wild abuse of the remote code execution chain. The trio consists of CVE-2026-34908, an improper input validation flaw enabling command injection; CVE-2026-34909, a path traversal vulnerability that allows access to underlying system files; and CVE-2026-34910, an improper access control weakness permitting unauthorized system changes. Earlier this month, Bishop Fox published a proof-of-concept demonstrating that chaining all three flaws can yield a reverse shell with full root privileges in a single request. Patches were released by Ubiquiti late last month, but many deployments remain unpatched. Organizations should verify the integrity of their management interfaces using an SSL/TLS checker to confirm that UniFi controllers and related services are properly encrypted and authenticated.

"The vulnerabilities could allow remote attackers to make unauthorized system changes, access sensitive files, disclose information, or execute arbitrary commands on vulnerable systems, highly impacting the confidentiality, integrity, and availability of targeted devices," Belgium's Centre for Cybersecurity (CCB) warned in its own advisory. Because UniFi OS appliances are commonly deployed as central management hubs across enterprise and SMB networks, a successful compromise could provide attackers with a pivot point for lateral movement and broader network takeover. CISA has not yet attributed the active exploitation to any specific threat actor, and no technical details on the Lantronix attacks have been released. Defenders are advised to audit administrative credentials, segment management networks, and run a privacy checkup across any remotely accessible infrastructure to verify that default accounts, exposed services, and weak authentication paths are not leaving the door open for further abuse.