Critical Access Control and Code Injection Flaws in Ubiquiti UniFi OS and Lantronix EDS5000 Added to CISA KEV Catalog
What Happened — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
- CVE‑2025‑67038 – Lantronix EDS5000 code‑injection flaw (root‑level command execution).
- CVE‑2026‑34908 – Ubiquiti UniFi OS improper access‑control (critical, CVSS 10.0).
- CVE‑2026‑34909 – Ubiquiti UniFi OS path‑traversal issue.
- CVE‑2026‑34910 – Ubiquiti UniFi OS improper input validation leading to command injection (critical, CVSS 10.0).
Why It Matters for Compliance & Audit Readiness
- These flaws map directly to SOC 2 CC6.1 (Change Management) and CC7.1 (System Operations) controls; failure to remediate can be cited as a control deficiency during an audit.
- Continuous evidence of patching and configuration validation satisfies the “monitoring and evidence collection” requirement of a mature SOC 2 program.
- Demonstrating timely remediation aligns with CISA’s Binding Operational Directive 22‑01, providing defensible proof of due‑diligence for regulators and customers.
Who Is Affected – Enterprises that deploy Ubiquiti UniFi networking gear or Lantronix EDS5000 devices—common in technology SaaS firms, telecom providers, retail locations, and any organization with on‑premise network infrastructure.
Recommended Actions
- Inventory all UniFi OS and EDS5000 assets and verify firmware versions.
- Apply vendor‑released patches for CVE‑2026‑34908, CVE‑2026‑34909, CVE‑2026‑34910, and CVE‑2025‑67038 immediately.
- Map the remediation steps to SOC 2 control requirements (CC6.1, CC7.1) and capture patch‑status evidence in your compliance repository.
- Implement continuous vulnerability scanning and automated alerting for future KEV additions.
Source: SecurityAffairs
Technical Notes – The Lantronix flaw stems from unsanitized username parameters in the HTTP RPC module, leading to root‑level command injection. The Ubiquiti issues involve improper access control, path traversal, and input validation that enable remote attackers on the same network segment to execute arbitrary commands. No specific data exfiltration was reported, but the vulnerabilities grant full system control. Source: same as above