CISA Adds Four Known Exploited Vulnerabilities to Catalog

Summary

<p>CISA has added four new vulnerabilities to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation. &nbsp;</p> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2025-67038" target="_blank">CVE-2025-67038</a> Lantronix EDS5000 Code Injection Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-34908" target="_blank">CVE-2026-34908</a> Ubiquiti UniFi OS Improper Access Control Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-34909" target="_blank">CVE-2026-34909</a> Ubiquiti UniFi OS Path Traversal Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-34910" target="_blank">CVE-2026-34910</a> Ubiquiti UniFi OS Improper Input Validation Vulnerability</li> </ul> <p>These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.</p> <p><a href="https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk">Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk</a> establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.</p> <p>While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">KEV Catalog vulnerabilities</a>. CISA will continue to add vulnerabilities to the catalog that meet the <a href="https://www.cisa.gov/known-exploited-vulnerabilities">specified criteria</a>.</p> <p>Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s <a href="https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_1Zwu52kgK2OYf3w">KEV Nomination Form</a>. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.&nbsp;</p>