CVE-2025-67038
Published: 11 March 2026
Summary
CVE-2025-67038 is a critical-severity Code Injection (CWE-94) vulnerability in Lantronix Eds5032 Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of username inputs before concatenation into shell commands, directly preventing command injection in the HTTP RPC authentication logging module.
Mandates timely flaw remediation by applying vendor patches for the specific command injection vulnerability in Lantronix EDS5000 version 2.1.0.0R3.
Enforces least privilege to prevent injected commands in authentication logging from executing with root privileges, limiting potential damage from exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated command injection into shell via public HTTP interface enables T1190 for initial exploitation and T1059.004 for Unix shell command execution as root.
NVD Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary…
more
OS commands into the username parameter. Injected commands are executed with root privileges.
Deeper analysisAI
CVE-2025-67038 is a critical command injection vulnerability (CWE-94) in the Lantronix EDS5000 device, specifically version 2.1.0.0R3. The issue resides in the HTTP RPC module, which executes a shell command to log failed user authentication attempts. The username parameter is directly concatenated into this command without sanitization, enabling attackers to inject arbitrary OS commands that execute with root privileges. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-11.
Unauthenticated attackers with network access to the affected device can exploit this vulnerability by supplying a malicious username during an authentication attempt, such as via a login form. No user interaction or privileges are required, and exploitation is straightforward due to low complexity. Successful injection results in arbitrary command execution as root, allowing full device compromise, including unauthorized access to data, configuration changes, service disruption, or persistence mechanisms.
Mitigation details are provided in advisories from the vendor at http://eds5000.com and http://lantronix.com, as well as CISA ICS Advisory ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02. Security practitioners should review these resources for patching instructions, version updates, or interim workarounds.
Details
- CWE(s)