CVE-2025-67038
CRITICAL · 9.8 KEV EPSS 1.1%KEV-listed, CISA active exploitation warning, coordinated defender response underway.
What: Lantronix EDS5000 2.1.0.0R3 HTTP RPC module executes unsanitized OS commands from the username parameter during failed authentication, allowing unauthenticated command injection as root (CVSS 9.8).
Why it matters: KEV-listed as of 2026-06-23 with confirmed active exploitation. CISA has issued urgent patching directive with federal agency deadline of 2026-06-26. Serial-to-IP converters are critical OT/ICS infrastructure; compromised devices enable lateral movement and network takeover.
Where it's seen: Coordinated alerts across Bluesky and X from CISA, threat intelligence platforms (ZoomEye, TRC), and vulnerability tracking services. Posts emphasize imminent deadline and root-level access implications. No public PoC posted yet, but active exploitation reported.
RISK: CRITICAL — Unauthenticated root RCE in OT infrastructure, KEV-listed, active exploitation confirmed, federal deadline urgent.
Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High
Affected versions
- lantronix/eds5032_firmware
- 2.1.0.0r3
- lantronix/eds5008_firmware
- 2.1.0.0r3
- lantronix/eds5016_firmware
- 2.1.0.0r3
Weaknesses
Vendors
- lantronix
Products
- eds5032_firmware
- eds5032
- eds5008_firmware
- eds5008
- eds5016_firmware
- eds5016
References
- http://eds5000.com [Broken Link]