CISA Warns of Critical Ubiquiti Flaws Under Active Attack

Michael Miller · 2026-06-24

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is sounding the alarm about hackers actively exploiting serious security holes in Ubiquiti UniFi OS and Lantronix serial-to-ethernet servers. These aren't just minor bugs—they're the kind of flaws that can let attackers take full control of your network. If you're using these devices, you need to pay attention right now. ### What's Going On? CISA added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, which means they're not theoretical. Real attackers are using them in the wild. The Ubiquiti flaw, tracked as CVE-2025-2825, has a CVSS score of 9.8 out of 10—that's critical severity. For context, a 10 is the worst possible. This bug lets an unauthenticated attacker execute commands remotely with no user interaction needed. The Lantronix vulnerability, CVE-2025-22720, is slightly less severe at 7.2 but still dangerous. It allows privilege escalation through a command injection flaw in the web interface. Combined, these flaws create a perfect storm for network compromise. ### Who Should Be Worried? If you manage any of these devices, you're in the crosshairs: - Ubiquiti UniFi OS (used in UniFi Dream Machine, Cloud Key, and other controllers) - Lantronix serial-to-ethernet servers (common in industrial and enterprise settings) - Any network that relies on these for remote access or management These devices are popular because they're affordable and powerful. But that same popularity makes them a juicy target for attackers. Think of it like leaving your front door unlocked in a busy neighborhood—sooner or later, someone's going to walk in. ### What Can You Do? Here's your action plan: - **Update immediately**: Ubiquiti has released patches for UniFi OS versions 4.1.13 and later. Lantronix has patches for affected models. Don't wait. - **Check your logs**: Look for unusual activity, especially remote command execution attempts. - **Segment your network**: Keep these devices on a separate VLAN if possible. That way, even if they're compromised, attackers can't easily pivot to your main systems. - **Disable remote management**: If you don't absolutely need WAN access to these devices, turn it off. CISA also requires federal agencies to patch within three weeks, but honestly, you should do it sooner. The exploit code is already out there, and attackers are moving fast. ### Why This Matters for Your Business These aren't just IT problems—they're business risks. A compromised network device can lead to data breaches, ransomware, or complete network takeover. For small and medium businesses, that can be catastrophic. Recovery costs can easily hit tens of thousands of dollars, not to mention reputation damage. Think of it this way: patching takes maybe 30 minutes. A breach could take months to recover from. The math is simple. ### The Bottom Line CISA's warning isn't just noise. These are real exploits being used right now. If you have Ubiquiti or Lantronix gear, prioritize patching today. And if you're not sure how to check, ask your IT team or a trusted MSP. This is one of those times where speed matters more than perfection. Stay safe out there.