Cyber Posture

CVE-2025-67037

HighRCE

Published: 11 March 2026

Published
11 March 2026
Modified
19 March 2026
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-67037 is a high-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly validates and sanitizes the 'tunnel' parameter input to prevent command injection exploits.

SI-2 Flaw Remediation good match
prevent

Promptly identifies, reports, and remediates the specific command injection flaw in Lantronix EDS5000.

AC-6 Least Privilege partial match
prevent

Enforces least privilege on the tunnel-kill process to prevent injected commands from executing with root privileges.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Command injection in network-accessible device service directly enables remote exploitation for Unix shell command execution as root (initial access + priv esc).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges.

Deeper analysisAI

CVE-2025-67037 is a command injection vulnerability (CWE-94) in Lantronix EDS5000 version 2.1.0.0R3, published on 2026-03-11. The flaw occurs when an authenticated attacker injects operating system commands into the "tunnel" parameter during the process of killing a tunnel connection. These injected commands execute with root privileges on the affected device.

The vulnerability requires network access and low-privileged authentication (PR:L) with low attack complexity (AC:L) and no user interaction (UI:N), carrying a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). An attacker can exploit it remotely by authenticating to the EDS5000, then crafting a malicious "tunnel" parameter in a tunnel-kill request to execute arbitrary root-level commands, achieving high confidentiality, integrity, and availability impacts such as full device compromise.

Mitigation guidance is provided in vendor resources at http://eds5000.com and http://lantronix.com, along with CISA ICS Advisory ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02.

Details

CWE(s)
CWE-94

Affected Products

lantronix
eds5032 firmware
2.1.0.0
lantronix
eds5008 firmware
2.1.0.0
lantronix
eds5016 firmware
2.1.0.0

CVEs Like This One

CVE-2025-67036Same product: Lantronix Eds5008
CVE-2025-67034Same product: Lantronix Eds5008
CVE-2025-67035Same product: Lantronix Eds5008
CVE-2025-67038Same product: Lantronix Eds5008
CVE-2025-67041Same vendor: Lantronix
CVE-2026-32613Shared CWE-94
CVE-2026-25366Shared CWE-94
CVE-2025-70082Same vendor: Lantronix
CVE-2025-67039Same vendor: Lantronix
CVE-2026-25001Shared CWE-94

References