Cyber Resilience

CVE-2025-67037

HighRCE

Published: 11 March 2026

Published
11 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 30.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-67037 is a high-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67037 is a command injection vulnerability (CWE-94) in Lantronix EDS5000 version 2.1.0.0R3, published on 2026-03-11. The flaw occurs when an authenticated attacker injects operating system commands into the "tunnel" parameter during the process of killing a tunnel connection. These injected commands execute with root privileges on the affected device.

The vulnerability requires network access and low-privileged authentication (PR:L) with low attack complexity (AC:L) and no user interaction (UI:N), carrying a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker can exploit it remotely by authenticating to the EDS5000, then crafting a malicious "tunnel" parameter in a tunnel-kill request to execute arbitrary root-level commands, achieving high confidentiality, integrity, and availability impacts such as full device compromise.

Mitigation guidance is provided in vendor resources at http://eds5000.com and http://lantronix.com, along with CISA ICS Advisory ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection in network-accessible device service directly enables remote exploitation for Unix shell command execution as root (initial access + priv esc).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67036Same product: Lantronix Eds5008
CVE-2025-67034Same product: Lantronix Eds5008
CVE-2025-67038Same product: Lantronix Eds5008
CVE-2025-67035Same product: Lantronix Eds5008
CVE-2025-67041Same vendor: Lantronix
CVE-2026-32613Shared CWE-94
CVE-2026-25366Shared CWE-94
CVE-2025-70082Same vendor: Lantronix
CVE-2025-67039Same vendor: Lantronix
CVE-2026-28425Shared CWE-94

Affected Assets

lantronix
eds5032 firmware
2.1.0.0
lantronix
eds5008 firmware
2.1.0.0
lantronix
eds5016 firmware
2.1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly validates and sanitizes the 'tunnel' parameter input to prevent command injection exploits.

prevent

Promptly identifies, reports, and remediates the specific command injection flaw in Lantronix EDS5000.

prevent

Enforces least privilege on the tunnel-kill process to prevent injected commands from executing with root privileges.

References