Cyber Resilience

CVE-2025-67035

CriticalRCEUpdated

Published: 11 March 2026

Published
11 March 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67035 is a critical-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67035 involves multiple OS command injection vulnerabilities (CWE-94) in Lantronix EDS5000 version 2.1.0.0R3. These flaws affect the SSH Client and SSH Server web pages, stemming from inadequate sanitization of input parameters. Attackers can inject arbitrary commands during delete actions for objects like server keys, users, and known hosts, with the commands executing under root privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

A remote, unauthenticated attacker can exploit this over the network with low attack complexity and no user interaction required. Exploitation allows execution of arbitrary root-level commands, enabling full system compromise, data exfiltration, modification of configurations, or disruption of device operations.

Advisories and patch information are detailed in CISA ICSA-26-069-02, along with resources on lantronix.com and eds5000.com. Security practitioners should review these for vendor-recommended mitigations, such as applying updates or implementing access controls.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various…

more

objects, such as server keys, users, and known hosts. Commands are executed with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct remote unauthenticated OS command injection on public-facing web interface (SSH config pages) enables T1190 for initial access and T1059.004 for Unix shell command execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67038Same product: Lantronix Eds5008
CVE-2025-67036Same product: Lantronix Eds5008
CVE-2025-67034Same product: Lantronix Eds5008
CVE-2025-67037Same product: Lantronix Eds5008
CVE-2025-67041Same vendor: Lantronix
CVE-2026-26830Shared CWE-94
CVE-2024-54804Shared CWE-94
CVE-2024-54806Shared CWE-94
CVE-2024-36057Shared CWE-94
CVE-2026-25001Shared CWE-94

Affected Assets

lantronix
eds5032 firmware
2.1.0.0r3
lantronix
eds5008 firmware
2.1.0.0r3
lantronix
eds5016 firmware
2.1.0.0r3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly addresses the missing input sanitization by requiring validation mechanisms at web input points to prevent OS command injection.

prevent

SI-2 requires identification, reporting, and correction of flaws like this command injection vulnerability through timely patching.

prevent

AC-6 enforces least privilege to restrict the scope of arbitrary commands executed with root privileges if injection occurs.

References