Lantronix EDS5000 RCE exploited in wild

What Happened

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical flaw in Lantronix EDS5000 Series devices, tracked as CVE-2025-67038, to its Known Exploited Vulnerabilities (KEV) catalog. CISA confirmed active exploitation of the vulnerability, which allows remote attackers to execute arbitrary code on affected devices. The alert compels all Federal Civilian Executive Branch (FCEB) agencies to apply mitigations by the specified deadline, but it also signals a broader threat to enterprises and critical infrastructure operators using these devices.

Why It Matters

Lantronix EDS5000 Series devices are industrial serial-to-Ethernet servers widely deployed in operational technology (OT) environments, including manufacturing, energy, and telecommunications. These devices bridge legacy serial equipment with modern IP networks, making them critical to infrastructure reliability. Exploitation of CVE-2025-67038 could allow attackers to take full control of the device, pivot to connected serial assets, or disrupt OT processes. Given their persistent lifecycle (often running for years without updates), the vulnerability window is exceptionally wide. CISA’s inclusion in the KEV catalog underscores that this is not a theoretical issue - attackers are actively scanning for and exploiting exposed devices.

Technical Details

CVE-2025-67038 is a remote code execution vulnerability that stems from improper input validation in the device’s web interface or command processing. While the specific technical vector has not been fully disclosed by Lantronix, the attack likely involves sending specially crafted HTTP or serial-over-IP requests to trigger a buffer overflow or command injection. Successful exploitation grants the attacker code execution at the device’s privilege level - typically root on the embedded Linux system. Affected firmware versions include those prior to the latest security patch released by Lantronix. Indicators of compromise (IOCs) include unexpected outbound connections from EDS5000 devices, modified device configurations, and abnormal process behavior. Do not assume network segmentation alone mitigates the risk, as the vulnerability is remotely exploitable over the network interface.

Immediate Risk

The risk is high for any organization with internet-facing Lantronix EDS5000 devices. Shodan and similar scanning services likely already have lists of exposed units. Attackers can leverage this RCE to install backdoors, deploy ransomware within OT environments, or exfiltrate sensitive serial data - such as control system commands or telemetry. The vulnerability is trivial to chain with lateral movement tools once a foothold is established. Organizations should treat this as an emergency patching priority, especially for units handling critical infrastructure or patient data. If patching is not possible immediately, isolate the devices from the internet and restrict management access to trusted IPs only.

Security Insight

This incident mirrors the 2021 exploitation of MikroTik RouterOS vulnerabilities, where attackers targeted network appliances with long support lifecycles and poor update hygiene. The lesson is clear: OT-adjacent edge devices like serial servers have become a preferred initial access vector because they are often overlooked in patch management programs. Security teams should take this as a call to audit all network-embedded devices, not just those traditionally considered “critical.” Implement a policy of quarterly firmware checks for any device with an IP address - especially industrial controllers, serial servers, and terminal servers - and treat CISA KEV additions as immediate priority triggers. The attacker’s shift to targeting obsolete-but-functioning hardware is a predictable escalation that organizations must proactively counter.

Further Reading

• Lantronix EDS5000 RCE exploited in wild (CVE-2025-67038)
• Latest Security News
• CVE Advisories
• Data Breach Reports