cbcvebase.
CVE-2025-67038
published 2026-03-11

CVE-2025-67038: An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2026-06-26
Exploited in the wild
EPSS
1.13%
62.4th percentile
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Affected

3 ranges
VendorProductVersion rangeFixed in
lantronixeds5008_firmware
lantronixeds5016_firmware
lantronixeds5032_firmware

Detection & IOCsextracted from sources · hover to see the quote

  • Inject arbitrary OS commands via the username parameter in the HTTP RPC module login request; monitor for shell metacharacters or command sequences in authentication username fields on Lantronix EDS5000 devices
  • Target device and firmware version for detection scoping: Lantronix EDS5000 running firmware 2.1.0.0R3; the vulnerable code path is the HTTP RPC module's failed-authentication log-writing shell command
  • Alert on failed authentication attempts to Lantronix EDS5000 HTTP RPC endpoints where the username field contains shell special characters (e.g., ;, |, $(), backticks), as the username is concatenated directly into a shell command
  • CVE-2025-67038 is part of the BRIDGE:BREAK vulnerability set disclosed by Forescout Research Vedere Labs targeting serial-to-IP converters; correlate with other BRIDGE:BREAK indicators when triaging
  • ·Vulnerable firmware version is 2.1.0.0R3; patched version is 2.2.0.0R1. Ensure detection rules are scoped to unpatched EDS5000 devices and suppressed after upgrade.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.