CISA Adds Four Known Exploited Vulnerabilities to Catalog
CISA added four vulnerabilities to its KEV catalog, including flaws in Lantronix EDS5000 and Ubiquiti UniFi OS, citing active exploitation.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The additions include CVE-2025-67038 affecting Lantronix EDS5000 series devices, and three Ubiquiti UniFi OS vulnerabilities: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation). These flaws are being actively used by malicious cyber actors and pose significant risks to federal networks and critical infrastructure.
The Lantronix EDS5000 vulnerability (CVE-2025-67038) is a code injection flaw that could allow an attacker to execute arbitrary code on affected devices. The three Ubiquiti UniFi OS vulnerabilities collectively enable unauthorized access, file system traversal, and input validation bypass, potentially leading to full device compromise. CISA's KEV catalog inclusion signals that these vulnerabilities are being exploited in the wild, making remediation urgent.
CISA's Binding Operational Directive (BOD) 26-04, issued earlier this year, requires Federal Civilian Executive Branch (FCEB) agencies to prioritize remediation of KEV-listed vulnerabilities on publicly exposed assets that grant total control post-exploitation. The directive shifts federal vulnerability management from volume-based patching to risk-based prioritization, emphasizing actual exploit risk over CVSS scores alone. Agencies must also check for signs of compromise before applying patches.
While BOD 26-04 applies only to FCEB agencies, CISA strongly encourages all organizations—including private sector, state and local governments, and critical infrastructure operators—to adopt similar risk-based approaches. The agency recommends immediate patching of these four vulnerabilities and continuous monitoring for signs of exploitation.
CISA continues to expand the KEV catalog as new threats emerge. Organizations aware of exploited vulnerabilities not yet listed can submit them via CISA's KEV Nomination Form, provided they have a CVE ID, evidence of exploitation, and clear mitigation guidance. The addition of these four vulnerabilities underscores the persistent threat posed by unpatched software and the importance of proactive vulnerability management.
This latest KEV update follows a pattern of CISA adding multiple vulnerabilities at once, often from diverse vendors. Previous additions this year have included flaws in Cisco, Chrome, Arista, Ivanti, and others. The inclusion of both Lantronix and Ubiquiti products highlights the broad attack surface exposed by IoT and networking devices, which are frequent targets for initial access and lateral movement.
Organizations should prioritize patching these vulnerabilities, especially if the affected devices are internet-facing. For Lantronix EDS5000 users, firmware updates are available from the vendor. Ubiquiti has released patches for UniFi OS versions affected by the three CVEs. CISA recommends reviewing the respective advisories and applying updates immediately to mitigate risk.