Exploitation of Critical Vulnerability in Lantronix Serial-to-Ethernet Device Servers

Successful exploitation of CVE-2025-67038 could lead to unauthenticated OS command injection

Threat ID:: CC-4801
Threat Severity:: Medium
Published:: 25 June 2026 2:28 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Successful exploitation of CVE-2025-67038 could lead to unauthenticated OS command injection

Affected platforms

The following platforms are known to be affected:

Lantronix Serial-to-Ethernet Device Servers

EDS5000 Series

Firmware version 2.1.0.0R3

EDS3000PS Series

Firmware version 3.1.0.0R2

Threat details

Exploitation of CVE-2025-67038

The US Cybersecurity and Infrastructure Security Agency (CISA) has added vulnerability CVE-2025-67038 to its Known Exploited Vulnerabilities (KEV) Catalog.

The NHS England National CSOC assesses further exploitation as unlikely.

Introduction

Lantronix has released security updates to address vulnerabilities in EDS3000PS and EDS5000 Device Servers. Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and execute code with root privileges.

Exploitation of CVE-2025-67038 has been reported in the wild.

Vulnerability Details

5 vulnerabilities affect EDS5000 Series devices:

CVE-2025-67034 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSSv3.1 score: 7.2
CVE-2025-67035 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSSv3.1 score: 7.2
CVE-2025-67036 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSSv3.1 score: 7.2
CVE-2025-67037 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSSv3.1 score: 7.2
CVE-2025-67038 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSS 3.1 score: 9.8

3 vulnerabilities affect EDS300PS Series devices:

CVE-2025-67039 - 'Authentication Bypass Using an Alternate Path or Channel' vulnerability - CVSSv3.1 score: 9.8
CVE-2025-70082 - 'Unverified Password Change' vulnerability - CVSSv3.1 score: 2.7
CVE-2025-67041 - 'Improper Neutralization of Special Elements used in an OS Command' vulnerability - CVSSv3.1 score: 7.2

Threat updates

Date	Update
26 Jun 2026	Adjusted likelihood of exploitation for CVE-2025-67038 to "unlikely"

Remediation advice

Affected organisations are encouraged to review CISA's ICS Advisory icsa-26-069-02 and apply the relevant firmware updates as soon as possible.

Definitive source of threat updates

https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02

CVE Vulnerabilities

Status Published

CVE-2025-67038

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Last edited: 26 June 2026 10:48 am