Lantronix EDS5000 CVE-2025-67038 exploitation

Summary

CISA added CVE-2025-67038, a Lantronix EDS5000 command-injection vulnerability, to the Known Exploited Vulnerabilities catalog on 2026-06-23. The vulnerable HTTP RPC module writes logs after failed authentication by concatenating the supplied username into a shell command without sanitization, allowing unauthenticated attackers to execute arbitrary OS commands with root privileges on affected EDS5000 firmware.

The durable defender lesson is industrial / edge management-plane triage: a failed-login path can become root command execution, so patching should be paired with evidence preservation, credential review, and segmentation checks for serial-device servers and adjacent OT / IT networks.

Why this matters

CISA says CVE-2025-67038 is actively exploited and set a 2026-06-26 remediation due date for covered federal agencies.
The exploit path is unauthenticated and network reachable according to NVD's CVSS v3.1 vector: 9.8 critical, network attack vector, low complexity, no privileges, no user interaction, and high confidentiality / integrity / availability impact.
CISA's ICS advisory lists EDS5000 deployments across communications, information technology, and critical manufacturing sectors, with worldwide deployment.
Because the vulnerability sits on a failed-authentication logging path, suspicious username values and failed-login bursts can be exploit evidence rather than ordinary brute force noise.

Operational characteristics

Affected product: Lantronix EDS5000, specifically firmware 2.1.0.0R3 in the CISA / NVD records.
Vulnerable component: HTTP RPC logging behavior after authentication failure.
Exploit primitive: the username parameter is concatenated into a shell command without sanitization.
Impact: arbitrary OS command execution with root privileges.
Fix: CISA's ICS advisory says Lantronix recommends upgrading EDS5000 to version 2.2.0.0R1.
Attribution: no named actor or ransomware linkage is established in the public CISA KEV entry.

Defender heuristics

Inventory Lantronix EDS5000 devices, including serial-device servers embedded in remote sites, OT networks, network closets, and vendor-managed environments.
Upgrade affected EDS5000 firmware to 2.2.0.0R1 or later following Lantronix guidance. If immediate upgrade is not possible, remove untrusted network reachability and restrict management access to a tightly controlled jump path.
Review web-management and authentication logs for failed-login attempts with shell metacharacters, command separators, URL-encoded payloads, or unusually long usernames.
Treat exploitation as root-level appliance compromise until ruled out:
preserve available logs and configuration backups before factory reset or firmware reinstallation;
collect current process, connection, startup, and filesystem state where operationally safe;
look for downloader activity, added users, changed passwords, SSH key changes, altered services, or suspicious outbound connections;
rotate credentials that traversed or managed the device, including shared local admin passwords and jump-host secrets.
Check downstream trust assumptions: EDS devices can bridge management, serial, and operational environments, so review adjacent network access, serial-connected assets, firewall rules, and any monitoring gaps introduced by appliance compromise.
After remediation, enforce management-plane ACLs and alert on internet exposure or failed-authentication bursts against EDS5000 interfaces.

Sources

CISA KEV feed: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CISA ICS Advisory ICSA-26-069-02: https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
NVD CVE-2025-67038: https://nvd.nist.gov/vuln/detail/CVE-2025-67038
Lantronix EDS5000 firmware page: https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032