CVE-2025-67041
Published: 11 March 2026
Summary
CVE-2025-67041 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lantronix Eds3016Ps1Ns Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation and sanitization of the unsanitized 'host' parameter in the TFTP client to block OS command injection exploits.
Establishes a risk-based process to identify, prioritize, and remediate the specific command injection flaw in Lantronix EDS3000PS.
Enforces least privilege to restrict the scope of damage from arbitrary root-privilege command execution resulting from the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated RCE via command injection in public-facing web management interface (Filesystem Browser/TFTP) directly enables T1190; resulting root shell access maps to T1059.004 Unix Shell.
NVD Description
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with…
more
root privileges.
Deeper analysisAI
CVE-2025-67041 is a critical vulnerability affecting Lantronix EDS3000PS version 3.1.0.0R2. The issue resides in the TFTP client functionality within the Filesystem Browser page, where the host parameter is not properly sanitized. This flaw enables an attacker to escape the intended command context and inject arbitrary operating system commands that execute with root privileges. The vulnerability is associated with CWE-78 (Improper Neutralization of Special Elements used in an OS Command), CWE-288 (Authentication Bypass Using an Alternate Path or Channel), and CWE-620 (Unverified Code), earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers require no privileges, authentication, or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation grants full root-level remote code execution on the affected device, potentially allowing complete compromise including data exfiltration, persistence, lateral movement, or disruption of device operations.
Mitigation guidance is detailed in CISA ICS Advisory ICSA-26-069-02, as well as vendor resources at lantronix.com and eds3000ps.com. Security practitioners should consult these advisories for patching instructions, workarounds, and affected product details.
Details
- CWE(s)