Today’s OT security landscape is defined by high-impact device and network appliance exploits that directly threaten industrial operations and safety. Rapidly weaponized legacy flaws, zero-day activity against edge infrastructure, and renewed focus on serial-to-Ethernet choke points demand immediate operational responses and threat-intelligence driven controls.
CISA Warns of Max-Severity Ubiquiti Flaws and Lantronix OT Vulnerability Actively Exploited
CISA has added four critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three UniFi OS flaws (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) and a Lantronix EDS5000 root-level command injection (CVE-2025-67038). The Ubiquiti issues can be chained by unauthenticated remote actors to achieve full remote code execution with elevated privileges, while the Lantronix flaw targets the HTTP RPC module and permits arbitrary root commands. The Lantronix device class is especially consequential for OT because serial-to-Ethernet converters are communications choke points for automation systems, and similar devices were abused by Russian state-linked groups in past disruptive campaigns. Federal civilian agencies subject to BOD 26-04 are required to apply patches within three days; operators should upgrade Lantronix EDS5000 units to firmware 2.2.0.0R1 immediately and prioritize compensating controls where patching is impractical.
Source: Security Boulevard / CISO Whisperer
Lantronix CVE-2025-67038: Critical Cyber-Physical Risk for Industrial OT Environments
Dataminr’s analysis of CVE-2025-67038 underscores that arbitrary command execution in Lantronix EDS5000 serial-to-Ethernet converters poses a direct cyber-physical risk to industrial environments. Because these devices mediate traffic to downstream PLCs and legacy field gear, exploitation can result in loss of control and physical consequences, while also impeding recovery by bricking or manipulating serial converters. Dataminr emphasizes that high-availability OT environments often cannot apply out-of-band patches, making immediate compensating controls — restricting administrative access, heightened monitoring for anomalous authentication and command patterns, and manual operations contingency plans — essential. The advisory draws explicit parallels to prior disruptive operations against power and industrial targets and urges urgent operational mitigation until firmware upgrades are universally deployed.
Source: Dataminr Intel Brief
IoT Defense Is Now an Intelligence Problem, Not Just a Patch Problem
ZeroFox argues that traditional vulnerability management is insufficient for IoT and OT risk in 2026, urging an outward-looking threat intelligence layer to complement patch programs. The report highlights three shifts: attackers are reusing legacy CVEs (67.5% of heavily exploited flaws were older vulnerabilities), AI-assisted tooling has lowered the adversary skill floor (IoT targeting averages 820,000 attempts per day), and segmentation is proving porous as actors pivot from IT into OT. With eCrime breakout measured at an average of 29 minutes by CrowdStrike — far shorter than OT patch cycles — the analysis concludes organizations must prioritize threat-informed monitoring, external visibility into attacker behavior, and rapid detection to reduce the window between compromise and impact.
Source: ZeroFox
NIST Opens Updated IoT Security Guidance SP 800-213 Rev. 1 for Public Comment
NIST has released the initial public draft of SP 800-213 Revision 1, “IoT Product Cybersecurity Guidelines for the Federal Government,” and is soliciting feedback through August 24, 2026. The revision shifts focus to IoT products rather than individual devices to clarify product versus system responsibilities and reflects technical and operational changes from the past five years. It is intended to help agencies and integrators more clearly specify cybersecurity requirements for products entering federal systems and aligns with the capabilities catalog in SP 800-213A. Practitioners and vendors should review the draft to ensure their product definitions, lifecycle practices, and supply-chain considerations are represented in the final guidance.
Source: SecurityWeek
Cisco SD-WAN Zero-Day CVE-2026-20245 Exploited Months Before Disclosure, Mandiant Reports
Mandiant reports that CVE-2026-20245, a privilege-escalation vulnerability in Cisco Catalyst SD‑WAN Manager, was exploited as a zero-day several months before public disclosure in early June 2026. The flaw permitted an authenticated local actor to execute arbitrary commands as root and was used in a targeted campaign against a service-provider’s SD‑WAN infrastructure, where the attacker gained SSH access in March and escalated to root using the bug. This incident marks the seventh Cisco SD‑WAN product exploitation exposed in 2026 and illustrates the “living off the edge” trend of compromising network appliances to bypass perimeter controls for access to OT-adjacent environments. Mandiant also notes the operator took deliberate steps to erase forensic artifacts, reinforcing the need for robust telemetry and immutable logging on edge infrastructure.
Source: SecurityWeek / Mandiant
Stay vigilant: prioritize rapid triage for critical edge and OT-facing devices, apply vendor mitigations where available, and augment patching with compensating controls and threat intelligence. Check back tomorrow for the latest operational alerts and analysis.
