CISA’s KEV Wave: Ubiquiti, Lantronix, and Cisco Unified CM Join the List

CISA’s KEV Wave: Ubiquiti, Lantronix, and Cisco Unified CM Join the List

No Comments

CISA’s Known Exploited Vulnerabilities catalog has had a busy several days. On June 23, 2026, three perfect-10 Ubiquiti UniFi OS flaws and a 9.8 root-access Lantronix bug landed in KEV together, with a federal remediation deadline of June 26 — today. And in an update to that story, CVE-2026-20230, the Cisco Unified Communications Manager SSRF flaw that researchers had been tracking as actively exploited but not yet catalog-listed, has now been formally confirmed in KEV as well.

That makes five vulnerabilities across three vendors, all confirmed under active exploitation, all hitting network infrastructure that enterprises tend to under-monitor. Here’s the full picture.

The Original Four: Ubiquiti UniFi OS and Lantronix EDS5000

How the Lantronix flaw works

The Lantronix EDS5000 is a serial-to-Ethernet device server — the kind of appliance that quietly bridges legacy serial gear (industrial controllers, point-of-sale terminals, medical equipment) onto IP networks, and rarely gets a second glance once it’s installed. The vulnerability sits in the device’s HTTP RPC module: when a login attempt fails, the module logs the failed username by passing it directly into a shell command, without sanitizing it first. An attacker who crafts a malicious username string can smuggle arbitrary OS commands into that shell call — and because the logging function runs with elevated rights, those commands execute with root privileges.

This is part of a larger disclosure called BRIDGE:BREAK, published by Forescout’s Vedere Labs research team in April 2026, covering a batch of serial-to-IP converter flaws across Lantronix and Silex product lines. CVE-2025-67038 is the one now confirmed under active attack.

How the Ubiquiti UniFi OS flaws work — and why three perfect 10s in one disclosure is unusual

UniFi OS is the operating system layer underpinning Ubiquiti’s Cloud Gateways, Dream Machines, NAS devices, network video recorders, and the UniFi OS Server software itself — infrastructure that runs across an enormous footprint of small business and enterprise networks. Three flaws were patched together in UniFi OS Server 5.0.8 on May 21, and all three now show confirmed exploitation:

  • CVE-2026-34908 is an improper access control flaw. An attacker who simply has network access — no credentials needed — can make unauthorized changes to the system: altering configuration, disabling controls, manipulating network behavior.
  • CVE-2026-34909 is a path traversal bug that lets an attacker read or manipulate files outside their intended directory scope, which can be turned into access to underlying user accounts.
  • CVE-2026-34910 is an improper input validation flaw that enables OS command injection — once an attacker has a foothold, this is the step that gets them arbitrary code execution.

Chained together, these three are far worse than any one alone. Bishop Fox built a proof-of-concept that strings them into a single HTTP request, ending in a full root reverse shell. Ubiquiti reportedly became aware of active exploitation through threat intelligence firm Defused Cyber, which had observed the chain being used to deploy commodity malware.

The deadline

Federal civilian agencies are required to remediate under BOD 26-04 by June 26, 2026 — today. CISA’s standard guidance extends this urgency to everyone else: if a UniFi OS console or an EDS5000 box is reachable from an untrusted network, patch now. Ubiquiti’s fix is UniFi OS Server 5.0.8+, Lantronix’s is EDS5000 firmware 2.2.0.0R1.

Cisco Unified CM CVE-2026-20230

The fifth vulnerability, sitting in Cisco’s Unified Communications Manager (Unified CM) and Unified CM Session Management Edition, has now been formally added to CISA’s KEV catalog. The official entry classifies it under CWE-918 (Server-Side Request Forgery), describing a vulnerability that lets an unauthenticated, remote attacker write files to the underlying operating system — files that can later be used to escalate to root. Whether it’s been used in ransomware campaigns is currently listed as unknown.

The timeline here is worth walking through, because it shows how an exploit moves from quiet disclosure to confirmed catalog entry in real time:

  • June 3, 2026 — Cisco published the advisory and shipped a patch. At the time, the company noted that proof-of-concept exploit code was already public but said it had no evidence of in-the-wild use.
  • Weekend of June 20–21 — Threat intelligence firm Defused observed the first confirmed exploitation: a single source running an unvetted PoC, using crafted file:// payloads against honeypot systems to test for vulnerable devices.
  • June 24 — Activity escalated. Automated, Tor-routed sweeps began dropping multi-stage JSP webshells on vulnerable systems — a clear jump from reconnaissance to actual compromise tooling.
  • Now — CISA has formally added CVE-2026-20230 to KEV, closing the gap between field-observed exploitation and official confirmation.

The mechanics

The vulnerability lives in Unified CM’s WebDialer service, a browser-based click-to-dial component that lets users initiate calls from a directory page or desktop app. WebDialer runs inside Cisco’s embedded Tomcat application server and listens for call requests over HTTPS. Because it fails to properly validate certain HTTP requests, an attacker can abuse its handling of user-supplied URLs to force the server into writing arbitrary files to the underlying OS — classic SSRF, but with a file-write payload riding behind it. Those written files become the foothold for a subsequent root-privilege escalation.

There’s one meaningful mitigating factor: exploitation requires the WebDialer service to be running, and it ships disabled by default. That narrows the at-risk population, but click-to-dial functionality is common enough in enterprise unified-communications deployments that “disabled by default” doesn’t mean “rarely enabled” in practice.

Why this one matters beyond the CVE itself

This is the second Cisco Unified CM vulnerability confirmed exploited in 2026, following January’s CVE-2026-20045 zero-day — also added to KEV, also root-privilege escalation, also in core voice infrastructure. Two confirmed-exploited root-access bugs in the same flagship product within six months says something about how attractive Unified CM has become as a target: it’s the central node for enterprise voice, video, and messaging, and a successful compromise gives an attacker a foothold that’s both valuable and frequently under-monitored compared to traditional IT infrastructure.

The webshell detail is the sharpest operational point here. Patching closes the CVE-2026-20230 entry point — it does not remove a webshell that was already planted before the patch was applied. A JSP shell dropped under the platform-services web path survives both the patch and a server restart. Anyone running an exposed, WebDialer-enabled Unified CM instance between June 3 and June 24 should treat this as a potential-compromise window requiring investigation, not a patch-and-move-on situation.

Fix: 14SU6 for the 14 release train (available now). For the 15 train, the full Service Update (15SU5) isn’t due until September 2026 — until then, apply the interim COP patch, or disable WebDialer entirely (Tools > Service Activation) as an interim mitigation. Cisco confirms this is a valid stopgap, though it will break click-to-dial functionality, so confirm that’s acceptable before applying it.

Detection and Response Notes

  • Inventory first. Know what you’re running: UniFi OS devices, Lantronix EDS5000 units, and Unified CM instances with WebDialer enabled. You can’t prioritize what you haven’t mapped.
  • Restrict exposure immediately if patching isn’t instant. Pull management interfaces off untrusted networks. For Unified CM, disabling WebDialer closes the attack surface for this specific flaw entirely.
  • Hunt before — and after — you patch. For Unified CM specifically, check for JSP files under the platform-services/axis2-web path and any unexpected file-write artifacts. For UniFi OS and Lantronix, review logs for unexpected admin account creation, unusual configuration changes, and anomalous outbound connections.
  • Don’t assume patching alone remediates compromise. If any of these systems were exposed and unpatched during the relevant exploitation windows, treat them as potentially compromised and investigate accordingly — not just “patched and done.”

The Bigger Pattern

Four of these five vulnerabilities hand an attacker root access with zero authentication. Two of the five are network appliances that exist specifically to bridge older, less-monitored infrastructure onto modern networks. And the Cisco case is a clean, fast-moving illustration of the standard lifecycle: public PoC sits quietly for weeks, someone weaponizes it, exploitation escalates to webshells within days, and the formal KEV listing arrives once the evidence is solid.

None of these five flaws needed sophisticated tradecraft. They needed exposed management interfaces, enabled-but-unnecessary services, and patches that hadn’t been applied yet. That’s not a sophisticated-adversary problem — it’s a basic hygiene problem, and it’s the one that keeps showing up at the top of every KEV bulletin.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.