Unrated severityCISA KEVNVD Advisory· Published Mar 11, 2026· Updated Mar 12, 2026
CVE-2025-67038
CVE-2025-67038
Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
3News mentions
5- Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat WarningSecurityWeek · Jun 25, 2026
- CISA Warns Critical Lantronix EDS5000 Flaw Is Being Actively ExploitedThe Hacker News · Jun 24, 2026
- CISA warns of max severity Ubiquiti flaws exploited in attacksBleepingComputer · Jun 24, 2026
- Critical Ubiquiti Vulnerabilities in Attackers’ CrosshairsSecurityWeek · Jun 24, 2026
- CISA Adds Four Known Exploited Vulnerabilities to CatalogCISA Alerts