CVE-2025-67038: Critical Root-Level Command Injection in Lantronix EDS5000 Device Servers

"Lantronix EDS5000 series device servers contain an unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands as root, and CISA has confirmed it is being actively exploited."

Lantronix EDS5000 series device servers contain an unauthenticated OS command injection flaw that lets remote attackers run arbitrary commands as root, and CISA has confirmed it is being actively exploited.

What Is It

CVE-2025-67038 is a code injection vulnerability (CWE-78, CWE-94) in the Lantronix EDS5000 running firmware 2.1.0.0R3. According to NVD, the HTTP RPC module executes a shell command to write logs when a user's authentication fails. The username is concatenated directly into that command without any sanitization, allowing an attacker to inject arbitrary OS commands through the username parameter. Injected commands execute with root privileges. The flaw carries a CVSS 3.1 base score of 9.8 (CRITICAL), vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, exploitable over the network with low complexity and no authentication or user interaction.

Why It Matters

Because exploitation requires no credentials and triggers on a failed login, any network-reachable EDS5000 is at risk of full root compromise. CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog on 2026-06-23, confirming active exploitation in the wild. NVD's SSVC assessment likewise rates exploitation as "active," automatable "yes," and technical impact "total." Known ransomware campaign use is currently listed as Unknown.

What's Vulnerable

Per NVD's affected CPE configurations, the following Lantronix EDS5000 series products on firmware 2.1.0.0R3 are affected:

EDS5008
EDS5016
EDS5032

Patch Status

CISA's required action, due 2026-06-26, is to apply mitigations per vendor instructions in line with BOD 26-04 and CISA's Forensics Triage Requirements. For cloud services, follow applicable BOD 26-04 guidance, or discontinue use of the product if mitigations are unavailable. Stakeholders must evaluate each asset's internet exposure and adhere to BOD 26-04 patching guidelines. Lantronix has published latest firmware for the EDS5000 series (see Sources).

Sources

NVD, CVE-2025-67038: https://nvd.nist.gov/vuln/detail/CVE-2025-67038
CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-67038
CISA ICS Advisory ICSA-26-069-02: https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
Lantronix EDS5000 Latest Firmware: https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
CISA BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk