Cyber Resilience

CVE-2025-67038

CriticalCISA KEVActive ExploitationRCEUpdated

Published: 11 March 2026

Published
11 March 2026
Modified
24 June 2026
KEV Added
23 June 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0113 62.3th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2025-67038 is a critical-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 37.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67038 is a critical command injection vulnerability (CWE-94) in the Lantronix EDS5000 device, specifically version 2.1.0.0R3. The issue resides in the HTTP RPC module, which executes a shell command to log failed user authentication attempts. The username parameter is directly concatenated into this command without sanitization, enabling attackers to inject arbitrary OS commands that execute with root privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-11.

Unauthenticated attackers with network access to the affected device can exploit this vulnerability by supplying a malicious username during an authentication attempt, such as via a login form. No user interaction or privileges are required, and exploitation is straightforward due to low complexity. Successful injection results in arbitrary command execution as root, allowing full device compromise, including unauthorized access to data, configuration changes, service disruption, or persistence mechanisms.

Mitigation details are provided in advisories from the vendor at http://eds5000.com and http://lantronix.com, as well as CISA ICS Advisory ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02. Security practitioners should review these resources for patching instructions, version updates, or interim workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary…

more

OS commands into the username parameter. Injected commands are executed with root privileges.

CWE(s)
KEV Date Added
23 June 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Direct unauthenticated command injection into shell via public HTTP interface enables T1190 for initial exploitation and T1059.004 for Unix shell command execution as root.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67035Same product: Lantronix Eds5008
CVE-2025-67036Same product: Lantronix Eds5008
CVE-2025-67034Same product: Lantronix Eds5008
CVE-2025-67037Same product: Lantronix Eds5008
CVE-2026-20045Shared CWE-94both on KEV
CVE-2025-49704Shared CWE-94both on KEV
CVE-2025-6204Shared CWE-94both on KEV
CVE-2025-67041Same vendor: Lantronix
CVE-2026-1281Shared CWE-94both on KEV
CVE-2025-54068Shared CWE-94both on KEV

Affected Assets

lantronix
eds5032 firmware
2.1.0.0r3
lantronix
eds5008 firmware
2.1.0.0r3
lantronix
eds5016 firmware
2.1.0.0r3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of username inputs before concatenation into shell commands, directly preventing command injection in the HTTP RPC authentication logging module.

prevent

Mandates timely flaw remediation by applying vendor patches for the specific command injection vulnerability in Lantronix EDS5000 version 2.1.0.0R3.

prevent

Enforces least privilege to prevent injected commands in authentication logging from executing with root privileges, limiting potential damage from exploitation.

References