CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog (CVE‑2025‑67038, CVE‑2026‑34908‑34910) – Immediate Risk to Network Devices
What It Is — The Cybersecurity and Infrastructure Security Agency (CISA) has placed four CVEs into its Known Exploited Vulnerabilities (KEV) Catalog, confirming that threat actors are actively exploiting these flaws in publicly‑exposed assets.
Exploitability — All four vulnerabilities have documented evidence of live exploitation; no public proof‑of‑concept is required to demonstrate risk. CISA’s inclusion in the KEV catalog signals a high likelihood of successful compromise.
Affected Products —
- CVE‑2025‑67038 – Lantronix EDS5000 – Code Injection
- CVE‑2026‑34908 – Ubiquiti UniFi OS – Improper Access Control
- CVE‑2026‑34909 – Ubiquiti UniFi OS – Path Traversal
- CVE‑2026‑34910 – Ubiquiti UniFi OS – Improper Input Validation
Why It Matters for Compliance & Audit Readiness
- SOC 2 Control Mapping – These flaws map directly to CC6.1 (Vulnerability Management) and CC7.1 (System Operations); failure to remediate can be cited as a control deficiency during a SOC 2 audit.
- Continuous Evidence – Demonstrating timely patching and verification provides audit‑ready evidence that your organization is exercising due diligence on high‑risk assets.
- Enterprise Buyer Expectations – Federal agencies and large enterprises now reference the KEV catalog when evaluating vendors; showing a documented remediation process can be a decisive factor in winning contracts.
Recommended Actions
- Identify all Lantronix EDS5000 and Ubiquiti UniFi OS instances in your asset inventory.
- Prioritize patching of the four CVEs in accordance with CISA’s BOD 26‑04 risk‑based timeline.
- Capture remediation evidence (patch logs, configuration snapshots) in a tamper‑evident repository for SOC 2 audit review.
- Validate that the patches close the attack surface by conducting targeted penetration tests or vulnerability scans.
- Update your vulnerability‑management policy to reference the KEV catalog as a source of high‑priority findings.
Source: CISA Advisory – June 23 2026