Heads-up: the U.S. cybersecurity folks raised the alarm about a nasty bug being actively abused in some Lantronix devices, and at the same time a trio of UniFi OS flaws that can be stitched together into a full-blown remote root takeover has also seen in-the-wild use. If you run industrial serial-to-IP gear or UniFi infrastructure, this is not the time to be lazy.
Lantronix EDS5000 — code injection being used in the wild
There’s a critical vulnerability in the EDS5000 series (CVE-2025-67038) that lets an attacker inject OS commands through a login field. In short: an HTTP RPC component builds a shell command using the username without sanitizing it, so an attacker can smuggle in extra commands that execute with root privileges. The issue was originally disclosed as part of a broader set of problems affecting serial-to-IP converters.
According to the agency advisory, this flaw is under active exploitation, and administrators were urged to apply fixes immediately. While details about the exact exploit techniques and who’s doing it are scarce, the danger is clear: unauthenticated or lightly protected management interfaces make excellent targets.
- Update to the vendor’s fixed firmware as soon as you can.
- Isolate device management interfaces from general networks (use VLANs or management VRFs).
- Harden access: strong passwords, limit IPs that can reach admin ports, and enable multi-factor auth where possible.
- Monitor logs and network traffic for suspicious login attempts or unexpected command execution.
UniFi OS — three flaws chained into remote root access
A separate row of problems affects UniFi OS: one bug allows command injection, another permits path traversal to read or tamper with files, and a third is an improper access control hole. Security researchers demonstrated how those three can be chained into a one-shot proof-of-concept that yields a reverse shell running as root. Patches have been released by the vendor, and reports indicate these bugs have also been abused to deploy commodity malware.
The practical risk here is that UniFi OS devices are often central network controllers — if they’re compromised, attackers can pivot and cause a lot more damage across an environment. National cybersecurity authorities have warned about that lateral movement risk.
- Install the vendor patches immediately — do not wait.
- Restrict UniFi management interfaces to known admin hosts only.
- Check for unexpected services, new accounts, or changes to system files; treat anomalous behavior as hostile.
Wrap-up: two separate situations, same moral — patch, isolate, and watch. These are the kinds of vulnerabilities attackers love: remotely exploitable, powerful, and often present on devices that sit in the heart of a network. If you manage affected gear, act fast and bring snacks — this one’s likely to keep you busy for a bit.