One Box, Three Perfect 10s: The Week Networking Gear Broke Bad
Ubiquiti UniFi OS, Lantronix, Splunk, Cisco and a resurfacing Fortinet bug — what's actually exploited this week
It's rare to see one product collect three perfect-10s in a single week. This week Ubiquiti's UniFi OS managed exactly that — CVE-2026-34910, CVE-2026-34908 and CVE-2026-34909, all CVSS 10, all added to CISA's KEV in the same June 23 batch, with the federal remediation deadline set for June 26.
CVSS 10 is the loud part. The part that should make you sit up is on KEV — that's CISA saying these are being used in real attacks, not just theoretically nasty. The command-injection one (CVE-2026-34910) carries an EPSS of 82% (99th percentile, as of June 25); the access-control and path-traversal siblings score lower on likelihood but ride the same KEV entry. BleepingComputer and SecurityWeek both have the write-ups.
On the agenda
Same June 23 KEV batch, different box: CVE-2025-67038 in Lantronix EDS5000 serial-to-Ethernet gateways — a 9.8 command injection where the login username gets stitched straight into a shell command. Its EPSS is a sleepy 1.1%, which is exactly why likelihood scores can mislead: it's already exploited and confirmed by CISA. KEV beats EPSS here.
CVE-2026-20253, the Splunk Enterprise pre-auth file-write we flagged a fortnight ago, is still live — 9.8, on KEV, EPSS 92%, and its federal deadline (June 21) is already in the rear-view mirror. Fix is Splunk Enterprise 10.2.4 / 10.0.7. BleepingComputer covered the "patch by Sunday" warning.
Flying under the radar
Remember the Cisco SD-WAN bug from a few weeks back? Here's another to file next to it. CVE-2026-20262 in Cisco Catalyst SD-WAN Manager is "only" a 6.5 — but it's on KEV, in the wild, and now has a public exploit. A modest CVSS that's actually being used outranks a quiet 9.8 every time. (Check Point's weekly intel has it.)
And the old guard never quite dies: CVE-2024-21762, the 2024 Fortinet FortiOS/FortiProxy SSL-VPN out-of-bounds write (9.8, ransomware-linked on KEV), resurfaced this week inside the StrikeShark Cobalt Strike campaign. Its federal deadline passed in February 2024 — but attackers clearly didn't get the memo.
| CVE | Product → fix | Status |
|---|---|---|
| CVE-2026-34910 / -34908 / -34909 | Ubiquiti UniFi OS → vendor update | CVSS 10, on KEV (deadline Jun 26) |
| CVE-2026-20253 | Splunk Enterprise → 10.2.4 / 10.0.7 | 9.8, on KEV, exploited |
| CVE-2026-20262 | Cisco Catalyst SD-WAN Manager → vendor patch | 6.5, on KEV, public exploit |
| CVE-2025-67038 | Lantronix EDS5000 → vendor update | 9.8, on KEV, exploited |
| CVE-2024-21762 | Fortinet FortiOS / FortiProxy → fixed builds | 9.8, on KEV, ransomware |
UniFi gateways, Lantronix gateways, Fortinet VPNs, Cisco managers, Splunk consoles — this is perimeter gear, the stuff that lives at the edge of your network and the stuff teams most often forget they have online. You watch the threat feed all week. The harder question is which of these boxes you're quietly exposing right now.