Attackers Can Reach Root on UniFi OS and Lantronix Edge Servers

If you run Ubiquiti UniFi OS or a Lantronix EDS5000 serial console server, attackers can take it over with no password. On June 23, 2026 CISA added four of these flaws to its Known Exploited Vulnerabilities (KEV) catalog and set a June 26 fix deadline for federal agencies. The same day, B&R confirmed its industrial controllers ship a Linux kernel carrying Copy Fail (CVE-2026-31431), a local privilege escalation that has been in the KEV list since May 1. This post covers all five, what is exposed, and the patch order.

The five issues at a glance

CVE	Product	Flaw	CVSS	EPSS (Jun 23)	In KEV
CVE-2026-34908	Ubiquiti UniFi OS	Improper access control	10.0	0.9%	Jun 23
CVE-2026-34909	Ubiquiti UniFi OS	Path traversal	10.0	0.9%	Jun 23
CVE-2026-34910	Ubiquiti UniFi OS	Command injection	10.0	33.6%	Jun 23
CVE-2025-67038	Lantronix EDS5000	OS command injection (root)	9.8	0.5%	Jun 23
CVE-2026-31431	Linux kernel (Copy Fail)	Local privilege escalation	7.8	96.8%	May 1

CVSS comes from NVD, EPSS from FIRST (read June 23, 2026), KEV status and dates from CISA. The three UniFi OS flaws are network reachable and need no login. The Lantronix flaw is unauthenticated remote code execution as root. Copy Fail needs a local foothold first, which is why it ranks lower on severity but very high on EPSS: a public proof of concept turns any low-privilege shell into root.

Am I affected?

Ubiquiti UniFi OS (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910)

Per Ubiquiti Security Advisory Bulletin 064, the vulnerable builds are:

• UniFi OS Server before 5.0.8
• UDM, UDM-Pro, UDM-SE, UDM-Pro-Max and most gateways plus UNVR before firmware 5.1.12
• UDM-Beast before 5.1.11
• UniFi Express before 4.0.14

All three carry a CVSS base score of 10.0. The access control and path traversal bugs can be chained to bypass authentication, after which the command injection bug runs attacker code at root. Anything with a UniFi controller reachable from an untrusted network is in scope.

Lantronix EDS5000 (CVE-2025-67038)

The EDS5000, EDS5008, EDS5016 and EDS5032 serial-to-IP console servers on firmware 2.1.0.0R3 are affected. The HTTP RPC module builds a shell command from the submitted username on a failed login and never sanitizes it, so an unauthenticated attacker can inject OS commands that execute as root (CVSS 9.8). It is one of the BRIDGE:BREAK flaws disclosed across Lantronix and Silex serial-to-IP converters earlier this year.

B&R products and Copy Fail (CVE-2026-31431)

CISA advisory ICSA-26-174-06 confirms these B&R lines ship affected Linux kernels:

• Linux for B&R version 12 and earlier
• APROL before APROL-AutoYaST-DVD-V4.4-010.10.260602
• X20EDS410 (all versions)

Copy Fail is a flaw in the kernel AEAD crypto interface (algif_aead) that gives a deterministic write into the page cache, enough for a local user to overwrite a setuid binary and become root. B&R reports no evidence of active exploitation of B&R products yet, but the underlying CVE is KEV listed and public exploit code exists, so treat any shared or operator-accessible B&R Linux system as exposed.

What to do now

Patch first, mitigate only where you cannot patch yet.

UniFi OS

Update to UniFi OS Server 5.0.8 or later, firmware 5.1.12 or later for gateways and UNVR, 5.1.11 for UDM-Beast, and 4.0.14 for UniFi Express. If you cannot update immediately, take the controller off any internet-facing interface and restrict management to a trusted VLAN or VPN. The federal KEV deadline is June 26, 2026; treat it as your own ceiling.

Lantronix EDS5000

Upgrade EDS5000 series firmware to 2.2.0.0R1, which Lantronix released to close CVE-2025-67038 and the related BRIDGE:BREAK issues. Until then, block the device web interface from untrusted networks and put it behind segmentation, since the flaw is pre-authentication.

B&R

Install the APROL update (APROL-AutoYaST-DVD-V4.4-010.10.260602) and apply other B&R kernel updates as they ship. Because exploitation requires local access, enforce strict access control on every Linux-based B&R system: limit interactive logins to trusted operators, review account permissions, and disable unused accounts. B&R also lists tested workarounds in the advisory for systems that cannot be patched right away.

How these are being exploited

CISA only adds a CVE to KEV when it has evidence of active exploitation, so the four June 23 additions are being attacked now, not in theory. The UniFi OS command injection bug (CVE-2026-34910) already sits at 33.6% EPSS, the steepest jump of the four, which fits a flaw with public attack paths. Copy Fail has been weaponized since spring: a small script flips a setuid binary to grant root, which is why its EPSS sits near 97%. No primary source has published indicators tying these to a named ransomware crew yet; we will update this post if that changes. For the latest detail, work from the primary trackers: the vendor advisories above and CISA’s KEV entries.

How VulnMonitor helps

The hard part of a multi-vendor KEV day is not the patch, it is knowing which of these you actually run before the deadline. VulnMonitor matches each CVE against your live asset inventory, so a UniFi controller on old firmware, an EDS5000 still on 2.1.0.0R3, or a B&R node on an affected kernel surfaces by name, ranked by KEV status and EPSS. It does not block the attack; it tells you where you are exposed so patching beats the clock.

Updates

• June 23, 2026: Initial publication covering the four new KEV additions (Ubiquiti UniFi OS and Lantronix EDS5000) and the B&R Linux kernel advisory for Copy Fail.