Lantronix EDS5000 RCE exploited in wild (CVE-2025-67038)

Actively exploited in the wild - CVE-2025-67038 is a critical OS command injection in Lantronix EDS5000 firmware 2.1.0.0R3 that lets unauthenticated attackers execute arbitrary commands as root by crafting a malicious username during failed authentication attempts. No vendor patch is available yet, and exploitation is confirmed by CISA KEV.

Overview

CVE-2025-67038 affects the Lantronix EDS5000 device console server firmware version 2.1.0.0R3. The vulnerability resides in the HTTP RPC module that handles authentication logging. When a user fails authentication, the module constructs a shell command to log the event, directly concatenating the submitted username into the command string without any sanitization or escaping.

An attacker can inject arbitrary OS commands by placing shell metacharacters (such as semicolons, pipes, or backticks) into the username field of the HTTP RPC endpoint. Because the log command is executed on the server, the injected payload runs with full root privileges. This allows complete compromise of the EDS5000 device, including data exfiltration, malware installation, or pivoting into the internal network the device controls.

Impact

With a CVSS score of 9.8 (Critical), the exploit requires no authentication, no user interaction, and can be launched remotely over the network. An attacker can:

• Execute arbitrary shell commands as root
• Install persistent backdoors or malware
• Access or modify sensitive data flowing through the console server
• Disable or brick the device

CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The EPSS score is 0.5%, indicating ongoing targeted attacks rather than widespread automated scanning.

Remediation

As of this advisory, Lantronix has not released a firmware update patching CVE-2025-67038. Organizations running EDS5000 firmware 2.1.0.0R3 should:

1. Immediately restrict network access to the HTTP RPC endpoint - block external internet access to ports 80/443 on the EDS5000. Use firewall rules to limit source IPs to only authorized management hosts.
2. Disable HTTP RPC if not required - if the remote console functionality is unnecessary, disable the HTTP RPC module entirely through the device configuration menu.
3. Monitor for exploitation - check HTTP access logs for username strings containing shell metacharacters (;, |, `, $(), etc.). Investigate any authentication failures with unusual usernames.
4. Engage Lantronix support to request an estimated patch timeline and interim security hardening guidance.

Security Insight

This vulnerability follows a recurring pattern in embedded device security: legacy authentication-logging mechanisms that shell out to the OS without input validation. The EDS5000 is designed for remote console access in critical infrastructure settings like data centers and industrial environments. That a single unauthenticated HTTP request can achieve root-level command injection suggests the firmware was developed without standard secure coding practices or a formal security review. Organizations should consider replacing EDS5000 devices with actively maintained alternatives if a vendor patch does not arrive promptly.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs