CVE-2025-67038
published 2026-03-11CVE-2025-67038: An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The…
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
1.13%
62.4th percentile
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lantronix | eds5008_firmware | — | — |
| lantronix | eds5016_firmware | — | — |
| lantronix | eds5032_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Inject arbitrary OS commands via the username parameter in the HTTP RPC module login request; monitor for shell metacharacters or command sequences in authentication username fields on Lantronix EDS5000 devices ↗
- →Target device and firmware version for detection scoping: Lantronix EDS5000 running firmware 2.1.0.0R3; the vulnerable code path is the HTTP RPC module's failed-authentication log-writing shell command ↗
- →Alert on failed authentication attempts to Lantronix EDS5000 HTTP RPC endpoints where the username field contains shell special characters (e.g., ;, |, $(), backticks), as the username is concatenated directly into a shell command ↗
- →CVE-2025-67038 is part of the BRIDGE:BREAK vulnerability set disclosed by Forescout Research Vedere Labs targeting serial-to-IP converters; correlate with other BRIDGE:BREAK indicators when triaging ↗
- ·Vulnerable firmware version is 2.1.0.0R3; patched version is 2.2.0.0R1. Ensure detection rules are scoped to unpatched EDS5000 devices and suppressed after upgrade. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Lantronix EDS5000 2.1.0.0R3 HTTP RPC Username os command injection
vuldb·2026-06-23·CVSS 9.8
CVE-2025-67038 [CRITICAL] Lantronix EDS5000 2.1.0.0R3 HTTP RPC Username os command injection
A vulnerability was found in Lantronix EDS5000 2.1.0.0R3. It has been declared as critical. Impacted is an unknown function of the component HTTP RPC Module. The manipulation of the argument Username results in os command injection.
This vulnerability is cataloged as CVE-2025-67038. The attack must originate from the local network. Furthermore, there is an exploit available.
GHSA
GHSA-55gq-23mv-cw8r: An issue was discovered in Lantronix EDS5000 2
ghsa_unreviewed·2026-03-11
CVE-2025-67038 [CRITICAL] CWE-94 GHSA-55gq-23mv-cw8r: An issue was discovered in Lantronix EDS5000 2
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
VulnCheck
Lantronix EDS5000 Code Injection Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-67038 [CRITICAL] CWE-78 Lantronix EDS5000 Code Injection Vulnerability
Lantronix EDS5000 Code Injection Vulnerability
Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Affected: Lantronix EDS5000
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
Exploitation Ref
CISA
Lantronix EDS5000 Code Injection Vulnerability
cisa·2026-06-23·CVSS 9.8
CVE-2025-67038 [CRITICAL] CWE-78 Lantronix EDS5000 Code Injection Vulnerability
Vulnerability: Lantronix EDS5000 Code Injection Vulnerability
Affected: Lantronix EDS5000
Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Required Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
No
CISA ICS
Lantronix EDS3000PS and EDS5000
cisa_ics·2026-03-10·CVSS 8.8
[HIGH] Lantronix EDS3000PS and EDS5000
ICS Advisory
##
Lantronix EDS3000PS and EDS5000
Release DateMarch 10, 2026
Alert CodeICSA-26-069-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code with root-level privileges.
The following versions of Lantronix EDS3000PS and EDS5000 are affected:
- EDS3000PS 3.1.0.0R2 (CVE-2025-67039, CVE-2025-70082, CVE-2025-67041)
- EDS5000 2.1.0.0R3 (CVE-2025-67034, CVE-2025-67035, CVE-2025-67036, CVE-2025-67037, CVE-2025-67038)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.8
| Lantronix
| Lantronix EDS3000PS and EDS5000
| Improper Neutralization of Special Elements used in an OS Command ('OS Comm
No detection rules found.
No public exploits indexed.
Hackernews
CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
blogs_hackernews·2026-06-24·CVSS 9.8
CVE-2025-67038 [CRITICAL] CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively Exploited
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.
The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution of arbitrary commands with elevated privileges.
"The HTTP RPC module executes a shell command to write logs when the user's authentication fails," according to the
Bleepingcomputer
CISA warns of max severity Ubiquiti flaws exploited in attacks
blogs_bleepingcomputer·2026-06-24·CVSS 9.8
CVE-2026-34908 [CRITICAL] CISA warns of max severity Ubiquiti flaws exploited in attacks
## CISA warns of max severity Ubiquiti flaws exploited in attacks
## Bill Toulas
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning of hackers actively exploiting flaws in Ubiquity UniFi OS and Lantronix serial-to-ethernet servers.
According to the BOD 26-04 directive , federal agencies have three days to apply available security updates or vendor-recommended mitigations.
The Ubiquiti flaws that CISA added to its catalog of Known Exploited Vulnerabilities are:
CVE-2026-34908 : an access control bypass flaw that allows an unauthenticated attacker to make unauthorized changes to a UniFi OS system, potentially leading to full system compromise.
CVE-2026-34909 : a directory/path traversal vulnerability that allows an attacker to access sensitive files on the unde
Hackernews
22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters
blogs_hackernews·2026-04-21·CVSS 7.5
CVE-2026-32955 [HIGH] 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## 22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters
Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper with data exchanged by them.
The vulnerabilities have been collectively codenamed BRIDGE:BREAK by Forescout Research Vedere Labs, which identified nearly 20,000 Serial-to-Ethernet converters exposed online globally.
"Some of these vulnerabilities allow attackers to take full control of mission-critical devices connected via serial links," the
2026-03-11
Published
2026-06-23
Added to CISA KEV
Exploited in the wild