CVE-2025-67038: Lantronix EDS5000 OS Command Injection Vulnerability

Overview

A critical OS command injection vulnerability (CVE-2025-67038) has been identified in the Lantronix EDS5000 series serial device server. The flaw allows attackers to inject arbitrary operating system commands through the username parameter during authentication, with all injected commands executing under root privileges — giving an attacker complete control of the affected device.

The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating it is being actively leveraged in real-world attacks.

Vulnerability Details

Field	Value
CVE ID	CVE-2025-67038
Vendor	Lantronix
Product	EDS5000 Series
Vulnerability Type	OS Command Injection (CWE-78)
Attack Vector	Network
Privileges Required	None
User Interaction	None
CISA KEV Listed	Yes — June 23, 2026
Execution Context	Root

What is the Lantronix EDS5000?

The EDS5000 is an industrial serial device server used to connect legacy RS-232/422/485 serial equipment to modern TCP/IP networks. These devices are widely deployed in:

Manufacturing and industrial control systems (ICS)
Building automation and SCADA environments
Healthcare and medical device networks
Utilities and energy infrastructure

Because EDS5000 units often sit in critical OT (operational technology) environments and are rarely updated, vulnerabilities in these devices carry significant operational risk.

Technical Description

The vulnerability exists in the authentication handling code of the EDS5000's web management interface. The username field fails to sanitize user input before passing it to a shell interpreter, enabling classic OS command injection:

username=admin; <malicious_command>; #

Because the underlying process runs as root, injected commands inherit full system privileges. An attacker can exploit this without any prior credentials, making it a zero-authentication, network-accessible RCE.

Attack Primitives Enabled

Remote command execution as root
Persistence mechanisms (cron jobs, modified startup scripts)
Lateral movement from OT network to IT network
Configuration extraction (credentials, network maps)
Device bricking or disruption of connected serial equipment

CISA KEV Listing

CISA added CVE-2025-67038 to the Known Exploited Vulnerabilities catalog on June 23, 2026, confirming active exploitation in the wild. Federal agencies operating under BOD 22-01 are required to remediate this vulnerability by the CISA-mandated deadline.

Organizations using Lantronix EDS5000 devices should treat this as an emergency remediation priority, regardless of sector.

Affected Versions

Lantronix EDS5000 devices running firmware versions prior to the vendor's patch release are affected. Consult the Lantronix security advisories page for specific version details and patched firmware.

Remediation

Immediate Actions

Apply the vendor firmware patch as soon as it becomes available from Lantronix
Restrict network access — Place EDS5000 devices behind a firewall or VPN; block direct internet exposure
Disable the web management interface if not actively needed
Audit authentication logs for anomalous login attempts with unusual username strings
Segment OT/IT networks to limit blast radius if a device is compromised

Detection

Look for HTTP POST requests to the EDS5000 management interface where the username parameter contains shell metacharacters: ;, |, &&, `, $().

POST /auth HTTP/1.1
Host: <device-ip>
Content-Type: application/x-www-form-urlencoded

username=admin%3B+id%3B+%23&password=anything

Network Controls

# Block EDS5000 management ports (80/443) from untrusted networks
iptables -A INPUT -p tcp --dport 80 -s <trusted_mgmt_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Risk Assessment

Risk Factor	Assessment
Exploitability	High — no auth, network-accessible
Impact	Critical — root RCE on OT device
Exposure	Medium — typically internal, but internet-exposed deployments exist
Patchability	Depends on vendor firmware availability
Compensating Controls	Network segmentation, web UI disable

Recommendations

Federal agencies: Patch per CISA BOD 22-01 deadline
Industrial/OT operators: Treat as P1 — emergency network isolation if patch unavailable
Security teams: Scan for internet-exposed EDS5000 devices using Shodan or equivalent; audit firewall rules for serial device servers

Sources

Overview

The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating it is being actively leveraged in real-world attacks.

Vulnerability Details

Field	Value
CVE ID	CVE-2025-67038
Vendor	Lantronix
Product	EDS5000 Series
Vulnerability Type	OS Command Injection (CWE-78)
Attack Vector	Network
Privileges Required	None
User Interaction	None
CISA KEV Listed	Yes — June 23, 2026
Execution Context	Root

What is the Lantronix EDS5000?

The EDS5000 is an industrial serial device server used to connect legacy RS-232/422/485 serial equipment to modern TCP/IP networks. These devices are widely deployed in:

Manufacturing and industrial control systems (ICS)
Building automation and SCADA environments
Healthcare and medical device networks
Utilities and energy infrastructure

Because EDS5000 units often sit in critical OT (operational technology) environments and are rarely updated, vulnerabilities in these devices carry significant operational risk.

Technical Description

username=admin; <malicious_command>; #

Attack Primitives Enabled

Remote command execution as root
Persistence mechanisms (cron jobs, modified startup scripts)
Lateral movement from OT network to IT network
Configuration extraction (credentials, network maps)
Device bricking or disruption of connected serial equipment

CISA KEV Listing

Organizations using Lantronix EDS5000 devices should treat this as an emergency remediation priority, regardless of sector.

Affected Versions

Lantronix EDS5000 devices running firmware versions prior to the vendor's patch release are affected. Consult the Lantronix security advisories page for specific version details and patched firmware.

Remediation

Immediate Actions

Apply the vendor firmware patch as soon as it becomes available from Lantronix
Restrict network access — Place EDS5000 devices behind a firewall or VPN; block direct internet exposure
Disable the web management interface if not actively needed
Audit authentication logs for anomalous login attempts with unusual username strings
Segment OT/IT networks to limit blast radius if a device is compromised

Detection

Look for HTTP POST requests to the EDS5000 management interface where the username parameter contains shell metacharacters: ;, |, &&, `, $().

POST /auth HTTP/1.1
Host: <device-ip>
Content-Type: application/x-www-form-urlencoded

username=admin%3B+id%3B+%23&password=anything

Network Controls

# Block EDS5000 management ports (80/443) from untrusted networks
iptables -A INPUT -p tcp --dport 80 -s <trusted_mgmt_subnet> -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

Risk Assessment

Risk Factor	Assessment
Exploitability	High — no auth, network-accessible
Impact	Critical — root RCE on OT device
Exposure	Medium — typically internal, but internet-exposed deployments exist
Patchability	Depends on vendor firmware availability
Compensating Controls	Network segmentation, web UI disable

Recommendations

Federal agencies: Patch per CISA BOD 22-01 deadline
Industrial/OT operators: Treat as P1 — emergency network isolation if patch unavailable
Security teams: Scan for internet-exposed EDS5000 devices using Shodan or equivalent; audit firewall rules for serial device servers

CVE-2025-67038: Lantronix EDS5000 OS Command Injection Vulnerability

Affected Products

Overview

Vulnerability Details

What is the Lantronix EDS5000?

Technical Description

Attack Primitives Enabled

CISA KEV Listing

Affected Versions

Remediation

Immediate Actions

Detection

Network Controls

Risk Assessment

Recommendations

Sources

CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

CVE-2025-29635: D-Link DIR-823X Command Injection

CVE-2026-6112: Totolink A7100RU OS Command Injection via setRadvdCfg

CVE-2025-67038: Lantronix EDS5000 OS Command Injection Vulnerability

Affected Products

Overview

Vulnerability Details

What is the Lantronix EDS5000?

Technical Description

Attack Primitives Enabled

CISA KEV Listing

Affected Versions

Remediation

Immediate Actions

Detection

Network Controls

Risk Assessment

Recommendations

Sources

CVE-2026-7037: Unauthenticated OS Command Injection in Totolink A8000RU

CVE-2025-29635: D-Link DIR-823X Command Injection

CVE-2026-6112: Totolink A7100RU OS Command Injection via setRadvdCfg

Affected Products

Overview

Vulnerability Details

What is the Lantronix EDS5000?

Technical Description

Attack Primitives Enabled

CISA KEV Listing

Affected Versions

Remediation

Immediate Actions

Detection

Network Controls

Risk Assessment

Recommendations

Sources

Related Advisories

Affected Products

Overview

Vulnerability Details

What is the Lantronix EDS5000?

Technical Description

Attack Primitives Enabled

CISA KEV Listing

Affected Versions

Remediation

Immediate Actions

Detection

Network Controls

Risk Assessment

Recommendations

Sources

Related Advisories