Vulnerability intelligence

CVE-2025-67038 is an OS command injection vulnerability affecting Lantronix EDS5000 devices, specifically version 2.1.0.0R3. This flaw resides within the HTTP RPC module, which logs failed user authentication attempts by executing shell commands. The vulnerability arises because the username parameter is directly incorporated into these shell commands without proper sanitization, allowing an attacker to inject arbitrary operating system commands. Exploitation of CVE-2025-67038 does not require prior authentication and can be performed remotely over the network by leveraging intentionally failed login attempts. The injected commands execute with root privileges, enabling complete system compromise. Given that Lantronix EDS5000 devices are frequently deployed in industrial control system (ICS) environments for serial-to-Ethernet connectivity, a successful exploit could provide attackers with a foothold into operational technology (OT) networks. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation.

CVE-2026-4282 describes a privilege escalation vulnerability found in Keycloak, an open-source identity and access management solution. The flaw resides within Keycloak's SingleUseObjectProvider component, which functions as a global key-value store for single-use tokens like authorization codes. The vulnerability stems from an improper isolation or compartmentalization of types and namespaces within this provider. This deficiency allows an unauthenticated attacker to forge authorization codes. Successful exploitation of this flaw can lead to the creation of access tokens with administrative capabilities.

CVE-2026-9802 describes a vulnerability identified in Keycloak, an open-source identity and access management solution. This flaw manifests when Keycloak is configured with `revokeRefreshToken=true` and utilizes persistent session storage. Under these specific conditions, a server restart can inadvertently reset internal timing mechanisms responsible for managing refresh tokens. The vulnerability allows a remote attacker, who has previously obtained a user's refresh token, to replay that token even after it has been revoked. This replaying of a revoked token grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS devices to execute a Command Injection.

A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an underlying account.

CVE-2026-34908 is an Improper Access Control vulnerability (CWE-284) affecting Ubiquiti UniFi OS devices. Disclosed on May 21, 2026, this flaw allows a malicious actor with network access to bypass access restrictions and make unauthorized changes to the system. The vulnerability does not require authentication or user interaction for exploitation. This issue impacts various Ubiquiti UniFi OS devices, including models such as UDM, UDM-Pro, UDM-SE, and UDM-Pro-Max systems. Ubiquiti has released security updates to address this vulnerability.