CVE-2025-67036
Published: 11 March 2026
Summary
CVE-2025-67036 is a high-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly addresses the missing sanitization of the file name parameter by requiring validation of inputs to block command injection attacks.
SI-9 restricts the file name input to only valid log file names, preventing injection of arbitrary OS commands.
SI-2 ensures timely patching of the command injection flaw as recommended in CISA and vendor advisories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection on public-facing Log Info page enables remote exploitation (T1190) for Unix shell command execution (T1059.004) with root privilege escalation (T1068).
NVD Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenticated attacker can inject arbitrary OS commands…
more
that are executed with root privileges.
Deeper analysisAI
CVE-2025-67036 is a command injection vulnerability (CWE-94) in Lantronix EDS5000 version 2.1.0.0R3, published on 2026-03-11. The flaw affects the Log Info page, which permits users to access log files by specifying their names. Insufficient sanitization of the file name parameter enables injection of arbitrary OS commands executed with root privileges. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentiality, integrity, and availability impacts.
An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation allows execution of arbitrary OS commands as root, enabling full system compromise, including data exfiltration, modification, or disruption on the affected EDS5000 device.
Advisories providing mitigation guidance, including patches or workarounds, are available from CISA (ICSA-26-069-02) and vendor resources at eds5000.com and lantronix.com. Security practitioners should consult these references promptly for remediation steps tailored to the EDS5000 deployment.
Details
- CWE(s)