Skip to content
hacker_posts

Lantronix EDS5000 CVE-2025-67038 in CISA KEV — patch deadline is today

CISA added the CVSS 9.8 command-injection bug — plus three perfect-10 UniFi OS flaws — to KEV on June 23. BOD 26-04 forces federal patching by June 26.

Published 4 min read
cvelantronixkevadvisory

CISA added CVE-2025-67038 — an unauthenticated, CVSS 9.8 command-injection flaw in Lantronix EDS5000-series serial-to-IP console servers — to the Known Exploited Vulnerabilities catalog on June 23, 2026. Under BOD 26-04, federal civilian agencies have until today, June 26, to patch or remove affected devices. Three Ubiquiti UniFi OS bugs were added in the same batch.

What's vulnerable

  • Lantronix EDS5000-series serial-to-IP console servers running firmware 2.1.0.0R3 and earlier.
  • Fixed in firmware 2.2.0.0R1, released by Lantronix in April.
  • The EDS5000 is a serial-to-ethernet converter used to bridge industrial automation, OT and IoT devices onto IP networks — most often in utilities, manufacturing, and healthcare estates.

The flaw

According to Forescout's Vedere Labs, the HTTP RPC module logs failed authentication attempts by concatenating the submitted username into a shell command without sanitization. An unauthenticated attacker with network access can wrap shell metacharacters into the username parameter; the injected commands then execute as root when the device tries to log the failed login.

No credentials, no privileged role — just a reachable management interface. The CVE was disclosed in April as part of BRIDGE:BREAK, a Forescout research bundle of 22 vulnerabilities spanning eight Lantronix EDS3000PS/EDS5000 bugs and fourteen in Silex Technology's SD-330AC wireless bridge and AMC Manager. Forescout counted close to 20,000 serial-to-IP converters from the two vendors directly exposed on the public internet at disclosure.

Exploitation status

Forescout's writeup notes the team observed exploitation of CVE-2025-67038 in a Lantronix EDS5000 honeypot on April 5 — after Lantronix shipped the patch but before Forescout published BRIDGE:BREAK technical details. The pattern suggests attackers reverse-engineered the firmware diff to build a working exploit ahead of public disclosure. CISA's June 23 KEV entry formalises that active in-the-wild exploitation is continuing.

CISA bundled CVE-2025-67038 with three Ubiquiti UniFi OS bugs added the same day: CVE-2026-34908 (improper access control), CVE-2026-34909 (path traversal), and CVE-2026-34910 (command injection via improper input validation). Each scores a perfect CVSS 10, and proof-of-concept code chaining the three to full remote code execution has been published. UniFi OS 5.0.8 carries the fix.

Action checklist

  1. Inventory your EDS5000 fleet — any device on firmware ≤ 2.1.0.0R3 is in scope. Lantronix posts firmware downloads and release notes on its support portal.
  2. Patch to firmware 2.2.0.0R1 today. This is the CISA BOD deadline; the underlying exploitation has been live since April.
  3. If you can't patch immediately, take the device off the public internet. The exploit requires reachability to the HTTP management interface.
  4. Audit logs and shell history on any EDS5000 that was internet-reachable since the April patch. Look for failed-auth log entries with shell metacharacters in the username field, unexpected outbound connections from the device, and any new accounts or cron tasks.
  5. UniFi operators: patch to UniFi OS 5.0.8 or later on the same clock. The chained PoC is public.
  6. Review the rest of BRIDGE:BREAK. If you have Silex SD-330AC or AMC Manager in the estate, the Forescout disclosure lists the other 21 CVEs and patch levels.

Context

This is the second time in two months that a Forescout-disclosed edge-device CVE has been picked up and weaponised faster than the patch cycle could absorb it. The pattern — coordinated disclosure, vendor patch, then in-the-wild exploitation a few weeks later as researchers backport their own findings to PoC code — is the new normal for OT and SOHO networking gear. The CISA KEV addition is the regulator catching up to the attacker, not warning ahead of one.

If your asset inventory does not include serial-to-IP converters and management appliances, today is a good day to fix that. Devices that bridge IT and OT estates rarely sit inside the patch cadence of either side; that's exactly the gap CVE-2025-67038 has been living in since April.

Related stories