Skip to content

CVE-2025-67038: Command Injection in Lantronix EDS5000 Actively Exploited

Bottom line: Lantronix EDS5000 devices are vulnerable to remote code execution via command injection in the login protocol (CVE-2025-67038, CVSS 9.8), and active exploitation is occurring.

A critical security vulnerability in the Lantronix EDS5000 series (CVE-2025-67038) is already being exploited on the internet and enables attackers to gain root access to affected systems. The US agency CISA has made patch deployment for federal agencies mandatory by June 26, 2026.

The vulnerability affects the HTTP-RPC module of Lantronix EDS5000 devices and is rated CVSS 9.8. It was discovered in April 2026 by Forescout Research Vedere Labs as part of the security investigation BRIDGE:BREAK. To date, no public information is available about the identified threat actors or specific attack scenarios.

The root cause lies in command injection in the log module: when a user login fails, the system automatically logs the login attempt by executing a shell command. The entered username is inserted unfiltered directly into this system command without prior validation or sanitization.

Attackers exploit this by injecting malicious operating system commands into the username field. These injected commands are subsequently executed with full administrative root privileges on the device. This enables complete access to the affected network device.

For CISOs, the severity rating (CVSS 9.8) and active exploitation create an immediate need for action. Serial-to-IP converters in the Lantronix EDS5000 series should be inventoried in infrastructure and updated with available patches as quickly as possible, particularly if they are remotely accessible.


Source: www.it-daily.net · Published June 26, 2026
Lumi AI News — AI-assisted curation in accordance with Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: