← back
CVE-2025-67038

CVE-2025-67038

CVSS 9.8 CRITICALEPSS 1.1%● KEVCWE-94
Vexday Risk Score
58Attention
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 1.1%KEV simPoC Nuclei Metasploit Patch
Lifecycle
11 Mar 2026Published on NVD
23 Jun 2026Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

The Lantronix EDS5000 device allows attackers to run arbitrary commands as root by injecting malicious code into the username field during login attempts. An attacker can gain complete control of the device without needing valid credentials.

Technical detail

CWE-94 (Improper Control of Generation of Code) via OS command injection in the HTTP RPC module's log-writing mechanism. The username parameter is concatenated unsanitized into a shell command executed during failed authentication, allowing unauthenticated remote code execution with root privileges. No special conditions are required beyond network access to the HTTP interface.

Summary generated and translated by AI from the official description.
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →