The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has given federal agencies a two-week deadline to patch actively exploited vulnerabilities in Ubiquiti and Lantronix networking devices. The agency added two flaws to its Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed real-world attacks and elevating them to a critical priority.
A KEV catalog entry denotes vulnerabilities with credible evidence of active exploitation by threat actors, making them a primary focus for remediation beyond standard patch cycles. The directive applies to all U.S. Civilian Executive Branch agencies, but the advisory serves as a global prioritization framework for security teams.
The first vulnerability, CVE-2023-48091, is a critical flaw in Lantronix EDS5000 edge computing devices with a maximum CVSS score of 10.0. These devices are prevalent in operational technology (OT) environments across critical infrastructure sectors like energy, water, and manufacturing. A successful attack could grant an adversary control over sensitive industrial networks.
The second flaw, CVE-2023-26801, is a high-severity issue affecting the Ubiquiti UniFi OS. This operating system runs a wide array of enterprise and small-to-medium business (SMB) networking hardware, including routers, switches, and security gateways. Exploitation could provide a powerful foothold for lateral movement across corporate infrastructure.
CISA has ordered federal agencies to remediate both flaws by November 16. The urgency is driven by the high-impact potential of the affected targets. Compromise of Lantronix devices could disrupt industrial processes or cause physical damage, while a breach of a Ubiquiti network could lead to widespread data theft or ransomware deployment.
Organizations using these devices should treat this advisory as a critical priority. Security teams are urged to apply patches immediately or deploy robust compensating controls, such as strict network segmentation and enhanced monitoring, as interim measures. Patch verification will be particularly challenging in complex OT environments, where update cycles are often prolonged. Administrators should consult official guidance from Lantronix and Ubiquiti to identify the specific software versions required to mitigate these security gaps.
美國網絡安全和基礎設施安全局(CISA)已向聯邦機構發出為期兩週的最後期限,要求修補 Ubiquiti 及 Lantronix 網絡設備中正遭積極利用的漏洞。該機構已將兩個漏洞加入其「已知遭利用漏洞(KEV)」目錄,標誌著已證實存在真實世界的攻擊,並將其列為關鍵優先處理項目。
KEV 目錄中的項目代表該漏洞有可靠證據顯示正遭威脅行為者積極利用,使其成為標準補丁週期之外的首要補救重點。此指令適用於所有美國民用行政分支機構,但該建議也作為全球安全團隊的優先處理框架。
第一個漏洞是 CVE-2023-48091,這是一個存在於 Lantronix EDS5000 邊緣運算設備中的嚴重漏洞,CVSS 最高評分為滿分 10.0 分。這些設備廣泛用於能源、水務及製造等關鍵基礎設施行業的操作技術(OT)環境中。成功的攻擊可能使對手控制敏感的工業網絡。
第二個漏洞是 CVE-2023-26801,這是一個影響 Ubiquiti UniFi OS 的高危問題。此操作系統運行多種企業及中小企業(SMB)網絡硬件,包括路由器、交換機及安全網關。利用此漏洞可為攻擊者提供強大立足點,以在企業基礎設施中進行橫向移動。
CISA 已命令聯邦機構須於 11 月 16 日前修補這兩個漏洞。此緊急要求源於受影響目標具有高潛在影響。Lantronix 設備遭入侵可能中斷工業流程或造成實體損壞,而 Ubiquiti 網絡遭突破則可能導致大規模數據被竊或勒索軟件部署。
使用這些設備的機構應將此建議視為關鍵優先處理項目。敦促安全團隊立即應用補丁,或部署強有力的補償控制措施(如嚴格網絡分段及加強監控)作為臨時方案。在更新週期通常較長的複雜 OT 環境中,補丁驗證將尤其具挑戰性。管理員應查閱 Lantronix 及 Ubiquiti 的官方指南,以確定具體需要哪些軟件版本來緩解這些安全漏洞。