Network Infrastructure Trifecta: Ubiquiti UniFi Under Active Threat

Three simultaneous KEV additions against Ubiquiti UniFi OS — CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 — were all added June 23 with deadlines of June 26, now four days overdue. The combination of vulnerabilities here tells a coherent exploitation story that security teams should read as a probable chained attack path.

CVE-2026-34908 is an improper access control flaw enabling unauthorized system changes from the local network. CVE-2026-34909 is a path traversal vulnerability exposing underlying system files that can be manipulated to compromise accounts. CVE-2026-34910 is an improper input validation flaw enabling command injection. Individually, each is serious. Together, they form a plausible sequence: gain a foothold via access control bypass, traverse to credential material, then execute arbitrary commands. UniFi OS underpins a broad range of Ubiquiti network devices popular in mid-market enterprises, branch offices, and government facilities. Network-adjacent threat actors — including those with lateral movement footholds inside a perimeter — can exploit all three without external internet access. Patch UniFi OS to the vendor's current release immediately, audit device management plane exposure, and review recent configuration change logs for unauthorized activity.

Critical Infrastructure and Communications: Cisco UCM and Lantronix EDS5000

Two KEV entries this period target operational and communications infrastructure with high-impact primitives.

CVE-2026-20230 (Cisco Unified Communications Manager) was added June 25 with a deadline of June 28, now overdue. This SSRF vulnerability allows an unauthenticated attacker to write arbitrary files to the underlying OS, creating a reliable path to root-level privilege escalation. Cisco UCM and UCM SME are deployed broadly across federal agencies and large enterprises as core telephony infrastructure. An SSRF-to-file-write chain on an unauthenticated endpoint is a high-confidence pre-exploitation primitive — defenders should assume adversaries are already probing. Apply Cisco's patch, restrict web management interface access to trusted IP ranges, and review recent file system changes on affected hosts.

CVE-2025-67038 (Lantronix EDS5000) added June 23 with a deadline of June 26 addresses OS command injection through the username parameter, executed with root privileges. The EDS5000 is a device server used in OT and industrial environments to network-enable serial devices. Root-level code injection on OT-adjacent infrastructure is a critical-severity finding in any industrial control system context. If a vendor patch is unavailable or cannot be applied in the current operational window, isolate the device behind an OT-specific network segment with strict ACLs, disable any internet-facing management interfaces, and initiate vendor contact for compensating guidance per BOD 26-04.

Deadline Summary

| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2026-48558 | SimpleHelp | July 2, 2026 | ⚠ 2 days remaining | | CVE-2026-12569 | PTC Windchill/FlexPLM | June 28, 2026 | 🔴 Overdue | | CVE-2026-20230 | Cisco UCM | June 28, 2026 | 🔴 Overdue | | CVE-2025-67038 | Lantronix EDS5000 | June 26, 2026 | 🔴 Overdue | | CVE-2026-34908/09/10 | Ubiquiti UniFi OS | June 26, 2026 | 🔴 Overdue | | CVE-2026-20253 | Splunk Enterprise | June 21, 2026 | 🔴 Overdue |

All overdue items represent active BOD 26-04 compliance failures for federal agencies and contractors operating under that directive. Prioritize in order of internet exposure and authentication requirement — unauthenticated RCE and authentication bypass vulnerabilities on internet-accessible systems should be treated as potential active compromises until forensic triage confirms otherwise.

Sources: CISA KEV Catalog · Cisco Security Advisories · PTC Product Security · Ubiquiti Security Advisories · Splunk Security Advisories · SimpleHelp Security Notices · Lantronix Support · CISA BOD 26-04