Exploited Ubiquiti UniFi OS and Lantronix Flaws Hit CISA KEV; Cisco CUCM and SD-WAN Bugs Under Active Attack

Posted on by

This brief covers the trailing ~48 hours (June 24–26, 2026). Every item below was verified against its primary source — CISA KEV alerts, vendor advisories, and original vendor research — with disclosure or exploitation activity confirmed inside the window.

Ubiquiti UniFi OS unauthenticated RCE chain exploited as zero-days, added to CISA KEV

CISA / Ubiquiti · June 23, 2026

CISA added three maximum-severity Ubiquiti UniFi OS flaws to its Known Exploited Vulnerabilities catalog: CVE-2026-34908 (improper access control, CVSS 10.0), CVE-2026-34909 (path traversal), and CVE-2026-34910 (improper input validation/command injection, CVSS 10.0). Chained together, they give a remote, unauthenticated, network-adjacent attacker code execution on UniFi OS devices. Ubiquiti shipped fixes in UniFi OS Server 5.0.8 on May 21 without acknowledging in-the-wild abuse, but users reported attacks that created rogue administrator accounts under the username “John Sim,” and BishopFox published an analysis of the unauthenticated RCE chain. CISA ordered federal agencies to patch by June 26 under BOD 26-04.

“We confirmed the bypass against a live [UniFi OS version] 5.0.6 virtual machine. Requests built this way reached internal backends that are supposed to require authentication.” — BishopFox

Source: CISA KEV alert; Ubiquiti Security Advisory Bulletin 064; BishopFox analysis; SecurityWeek

Lantronix EDS5000 command injection added to CISA KEV alongside the Ubiquiti flaws

CISA / Lantronix · June 23, 2026

CISA added CVE-2025-67038 (CVSS 9.8), an unauthenticated OS command-injection flaw in the Lantronix EDS5000 serial-to-IP converter, to the KEV catalog in the same update. The HTTP RPC module fails to sanitize the username parameter before concatenating it into a shell command used to log failed authentication attempts, allowing arbitrary OS commands to run with root privileges. The bug was originally disclosed in April as part of the BRIDGE:BREAK set of Lantronix and Silex vulnerabilities affecting OT and healthcare environments; it now carries the same June 26 federal patch deadline.

Source: CISA KEV alert; CVE.org record; SecurityWeek

Cisco Unified CM WebDialer SSRF (CVE-2026-20230) seen exploited in the wild

Cisco / Defused Cyber · June 24, 2026

Researchers reported active exploitation of CVE-2026-20230 (CVSS 8.6), an unauthenticated server-side request forgery flaw in Cisco Unified Communications Manager that can be used to write files and ultimately escalate to root. Cisco previously rated the issue Critical and confirmed public proof-of-concept code; exploitation is only possible where the WebDialer service is enabled, which is off by default. Cisco PSIRT had not confirmed in-the-wild abuse, and the flaw was not yet listed in CISA KEV at the time of reporting. Cisco recommends disabling WebDialer until patches (14SU6, 15SU5/COP1) are applied.

“Over the weekend we observed exploitation of CVE-2026-20230 – Cisco Unified CM (CUCM) WebDialer SSRF → root file-write (CVSS 8.6)… This is currently being exploited from a single source using an unvetted PoC, with genuinely-formatted file:// file-write payloads landing on our decoys.” — Defused (@DefusedCyber)

Source: Cisco advisory; Security Affairs

Mandiant: Cisco Catalyst SD-WAN zero-day (CVE-2026-20245) exploited months before disclosure

Google Mandiant / Cisco · June 25, 2026

Mandiant disclosed that an unknown threat actor exploited CVE-2026-20245 (CVSS 7.8) in Cisco Catalyst SD-WAN Manager as a zero-day at least two months before it was publicly disclosed. The flaw lets an authenticated attacker with netadmin privileges run arbitrary commands as root via a crafted file upload; attackers chained it with earlier authentication-bypass bugs (CVE-2026-20127, CVE-2026-20182) to reach netadmin in the first place. Mandiant observed intrusions against a communications service provider between late 2025 and March 2026, including creation of a rogue “troot” root account and extensive anti-forensic cleanup. Cisco has confirmed active exploitation and released fixes.

“In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider. After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” — Mandiant

Source: Mandiant report; Cisco advisory; Security Affairs

This brief covers the trailing ~48 hours (June 24–26, 2026).

Primary sources:

Leave a Reply