CISA KEV Edge Devices Lead Today's Patch Queue
Lantronix EDS5000 Code Injection (CVE-2025-67038) Added to CISA KEV
CISA added CVE-2025-67038 to the Known Exploited Vulnerabilities catalog with a 26 June 2026 federal remediation deadline. The issue affects Lantronix EDS5000 devices and allows code injection through the username parameter, with root-level command execution risk. Treat this as a priority inventory and patch-verification item for any managed, exposed, or operational technology-adjacent deployments.
Sources: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?fieldcve=CVE-2025-67038; https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
Ubiquiti UniFi OS Access Control (CVE-2026-34908) Added to CISA KEV
CISA also added CVE-2026-34908 to KEV with the same 26 June 2026 federal deadline. The flaw is an improper access-control issue in UniFi OS that can permit unauthorised system changes. Owners should confirm UniFi OS exposure, update to the latest stable release through the UniFi management console, and check for unauthorised configuration changes.
Sources: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?fieldcve=CVE-2026-34908; https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b
Adobe ColdFusion XXE Vulnerability (CVE-2025-61821)
ColdFusion versions 2025.4, 2023.16, 2021.22 and earlier are affected by an XML external entity restriction flaw that can lead to arbitrary file-system reads. Exploitation does not require user interaction, but the exploit path depends on conditions beyond the attacker's direct control. Internet-facing ColdFusion deployments should move through normal emergency patch validation, especially where sensitive local files may be reachable.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2025-61821
Adobe Dreamweaver Improper Access Control (CVE-2026-47907)
Dreamweaver Desktop versions 21.7 and earlier are affected by an improper access-control vulnerability that can lead to arbitrary file-system reads outside the intended access scope. Exploitation requires a victim to open a malicious file, so this is lower urgency than the KEV edge-device items, but developer and creative-workstation fleets should still validate patch status.
Sources: https://nvd.nist.gov/vuln/detail/CVE-2026-47907
NCSC UK and Five Eyes Guidance Highlights AI-Compressed Exploitation Windows
NCSC UK and partners warned that AI is compressing the vulnerability-to-exploitation window. The operational lesson is patch-wave readiness: high-priority edge appliances increasingly need 24-48 hour triage, owner assignment, and deployment paths. Security teams should review whether current patch-management SLAs can handle short-fuse KEV-style windows without manual escalation every time.
Sources: https://x.com/NCSC/status/2069375645457539422
FortiBleed Credential-Theft Campaign Updated After Patch Availability
The FortiBleed campaign remains relevant because patch availability changes the response posture. Reporting describes a custom FortiGate sniffer used to harvest administrative credentials. FortiGate owners should verify patch deployment, rotate administrative credentials, enforce hardware-backed MFA where possible, and check for unauthorised admin profiles or anomalous packet-capture/sniffer configurations.
Sources: https://www.bleepingcomputer.com/news/security/fortibleed-campaign-used-custom-fortigate-sniffer-to-steal-credentials/
CVE-2024-40766 Remains a Patch and Configuration Validation Item
CVE-2024-40766 remains in the active exploitation queue through CISA KEV context, but the useful lesson today is operational: applying the patch is not enough if vulnerable configurations remain exposed. Treat this as a validation task rather than a fresh incident claim. Confirm the relevant product owner has patched, then review configuration state and compensating controls for exposed services.
Sources: https://isc.sans.edu/diary/rss/33094
Recommended Actions
1. Inventory and patch Lantronix EDS5000 and Ubiquiti UniFi OS deployments before the 26 June KEV deadline.
2. Validate Adobe ColdFusion and Dreamweaver patch status across server and workstation owners.
3. Confirm CVE-2024-40766 patch and configuration state on affected assets.
4. Rotate FortiGate administrative credentials after patch verification and review for suspicious admin changes.
5. Review high-priority patch SLAs against 24-48 hour response windows for exposed network-edge systems.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 24 June 2026. Independent review approved the core six-finding scope; CVE-2024-40766 was added during exploited-coverage reconciliation with conservative wording. Adobe items remain NVD-only, and FortiBleed remains single-reporting-led with internal re-promotable proof, so treat those as validation tasks rather than confirmed customer-impact claims.