The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.
According to the BOD 26-04 directive, federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:
CVE-2026-34908: an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
CVE-2026-34909: a directory/path traversal vulnerability that allows an attacker to access sensitive files on the underlying operating system, potentially exposing configuration files, credentials, and other sensitive data that could facilitate account takeover.
