Vendor CVEs
Lantronix
All CVEs
39 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2018-12925 | Cri | 0.64 | 9.8 | 0.01 | Jun 28, 2018 | Baseon Lantronix MSS devices do not require a password for TELNET access. | ||
| CVE-2016-4325 | Cri | 0.64 | 9.8 | 0.02 | May 14, 2016 | Lantronix xPrintServer devices with firmware before 5.0.1-65 have hardcoded credentials, which allows remote attackers to obtain root access via unspecified vectors. | ||
| CVE-2025-4338 | Med | 0.44 | 6.8 | 0.00 | May 22, 2025 | Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host… | ||
| CVE-2025-67038 | 0.12 | — | 0.01 | KEV | Mar 11, 2026 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS… | ||
| CVE-2021-21881 | 0.07 | — | 0.37 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21892 | 0.01 | — | 0.30 | Dec 22, 2021 | A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2025-67037 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges. | |||
| CVE-2025-67035 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such… | |||
| CVE-2025-70082 | 0.00 | — | 0.01 | Mar 11, 2026 | An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | |||
| CVE-2025-67034 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. Injected commands are executed with root privileges. | |||
| CVE-2025-67039 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username. | |||
| CVE-2025-67036 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenticated attacker can inject arbitrary OS commands that are executed with root… | |||
| CVE-2025-67041 | 0.00 | — | 0.00 | Mar 11, 2026 | An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | |||
| CVE-2023-7237 | 0.00 | — | 0.00 | Jan 23, 2024 | Lantronix XPort sends weakly encoded credentials within web request headers. | |||
| CVE-2021-21896 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file deletion. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21895 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to FsTFtp file overwrite. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21894 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file overwrite FsTFtp file disclosure. An attacker can make an authenticated HTTP request… | |||
| CVE-2021-21891 | 0.00 | — | 0.03 | Dec 22, 2021 | A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletefile). An… | |||
| CVE-2021-21890 | 0.00 | — | 0.03 | Dec 22, 2021 | A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletedir). An… | |||
| CVE-2021-21889 | 0.00 | — | 0.03 | Dec 22, 2021 | A stack-based buffer overflow vulnerability exists in the Web Manager Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21888 | 0.00 | — | 0.04 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to… | |||
| CVE-2021-21887 | 0.00 | — | 0.03 | Dec 22, 2021 | A stack-based buffer overflow vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger… | |||
| CVE-2021-21886 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FSBrowsePage functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2021-21885 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2021-21884 | 0.00 | — | 0.05 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21883 | 0.00 | — | 0.06 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21882 | 0.00 | — | 0.06 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21880 | 0.00 | — | 0.02 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager FsCopyFile functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability. | |||
| CVE-2021-21879 | 0.00 | — | 0.04 | Dec 22, 2021 | A directory traversal vulnerability exists in the Web Manager File Upload functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary file overwrite. An attacker can make an authenticated HTTP request to trigger this… | |||
| CVE-2021-21878 | 0.00 | — | 0.01 | Dec 22, 2021 | A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP… | |||
| CVE-2021-21872 | 0.00 | — | 0.06 | Dec 22, 2021 | An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger… | |||
| CVE-2020-13528 | 0.00 | — | 0.03 | Dec 17, 2020 | An information disclosure vulnerability exists in the Web Manager and telnet CLI functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause information disclosure. An attacker can sniff the network to trigger… | |||
| CVE-2020-13527 | 0.00 | — | 0.01 | Dec 17, 2020 | An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this… | |||
| CVE-2018-10383 | 0.00 | — | 0.02 | May 2, 2019 | Lantronix SecureLinx Spider (SLS) 2.2+ devices have XSS in the auth.asp login page. | |||
| CVE-2014-9003 | 0.00 | — | 0.01 | Nov 20, 2014 | Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintServer allows remote attackers to hijack the authentication of administrators for requests that modify configuration, as demonstrated by executing arbitrary commands using the c parameter in the rpc action. | |||
| CVE-2014-9002 | 0.00 | — | 0.05 | Nov 20, 2014 | Lantronix xPrintServer does not properly restrict access to ips/, which allows remote attackers to execute arbitrary commands via the c parameter in an rpc action. | |||
| CVE-2008-7201 | 0.00 | — | 0.01 | Sep 10, 2009 | Lantronix MSS485-T allows remote attackers to cause a denial of service (unstable performance and service loss) via certain vulnerability scans, as demonstrated using (1) Nessus and (2) nmap. | |||
| CVE-2007-5981 | 0.00 | — | 0.01 | Nov 15, 2007 | Lantronix SCS3200 does not properly handle public-key requests, which allows remote attackers to cause a denial of service (unresponsive device) via unspecified keyscan requests. NOTE: the provenance of this information is unknown; the details are obtained solely from third… | |||
| CVE-2005-2189 | 0.00 | — | 0.01 | Jul 11, 2005 | Lantronix SecureLinx console server running firmware 2.0 and 3.0 stores /etc/ssh under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as SSH private keys. |
- risk 0.64cvss 9.8epss 0.01
Baseon Lantronix MSS devices do not require a password for TELNET access.
- risk 0.64cvss 9.8epss 0.02
Lantronix xPrintServer devices with firmware before 5.0.1-65 have hardcoded credentials, which allows remote attackers to obtain root access via unspecified vectors.
- risk 0.44cvss 6.8epss 0.00
Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host…
- risk 0.12cvss —epss 0.01
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS…
- CVE-2021-21881Dec 22, 2021risk 0.07cvss —epss 0.37
An OS command injection vulnerability exists in the Web Manager Wireless Network Scanner functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to command execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21892Dec 22, 2021risk 0.01cvss —epss 0.30
A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2025-67037Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges.
- CVE-2025-67035Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such…
- CVE-2025-70082Mar 11, 2026risk 0.00cvss —epss 0.01
An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component
- CVE-2025-67034Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. Injected commands are executed with root privileges.
- CVE-2025-67039Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username.
- CVE-2025-67036Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenticated attacker can inject arbitrary OS commands that are executed with root…
- CVE-2025-67041Mar 11, 2026risk 0.00cvss —epss 0.00
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.
- CVE-2023-7237Jan 23, 2024risk 0.00cvss —epss 0.00
Lantronix XPort sends weakly encoded credentials within web request headers.
- CVE-2021-21896Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file deletion. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21895Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to FsTFtp file overwrite. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21894Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file overwrite FsTFtp file disclosure. An attacker can make an authenticated HTTP request…
- CVE-2021-21891Dec 22, 2021risk 0.00cvss —epss 0.03
A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletefile). An…
- CVE-2021-21890Dec 22, 2021risk 0.00cvss —epss 0.03
A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletedir). An…
- CVE-2021-21889Dec 22, 2021risk 0.00cvss —epss 0.03
A stack-based buffer overflow vulnerability exists in the Web Manager Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21888Dec 22, 2021risk 0.00cvss —epss 0.04
An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to…
- CVE-2021-21887Dec 22, 2021risk 0.00cvss —epss 0.03
A stack-based buffer overflow vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger…
- CVE-2021-21886Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FSBrowsePage functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2021-21885Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2021-21884Dec 22, 2021risk 0.00cvss —epss 0.05
An OS command injection vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21883Dec 22, 2021risk 0.00cvss —epss 0.06
An OS command injection vulnerability exists in the Web Manager Diagnostics: Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21882Dec 22, 2021risk 0.00cvss —epss 0.06
An OS command injection vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21880Dec 22, 2021risk 0.00cvss —epss 0.02
A directory traversal vulnerability exists in the Web Manager FsCopyFile functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability.
- CVE-2021-21879Dec 22, 2021risk 0.00cvss —epss 0.04
A directory traversal vulnerability exists in the Web Manager File Upload functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary file overwrite. An attacker can make an authenticated HTTP request to trigger this…
- CVE-2021-21878Dec 22, 2021risk 0.00cvss —epss 0.01
A local file inclusion vulnerability exists in the Web Manager Applications and FsBrowse functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted series of HTTP requests can lead to local file inclusion. An attacker can make a series of authenticated HTTP…
- CVE-2021-21872Dec 22, 2021risk 0.00cvss —epss 0.06
An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially-crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger…
- CVE-2020-13528Dec 17, 2020risk 0.00cvss —epss 0.03
An information disclosure vulnerability exists in the Web Manager and telnet CLI functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause information disclosure. An attacker can sniff the network to trigger…
- CVE-2020-13527Dec 17, 2020risk 0.00cvss —epss 0.01
An authentication bypass vulnerability exists in the Web Manager functionality of Lantronix XPort EDGE 3.0.0.0R11, 3.1.0.0R9, 3.4.0.0R12 and 4.2.0.0R7. A specially crafted HTTP request can cause increased privileges. An attacker can send an HTTP request to trigger this…
- CVE-2018-10383May 2, 2019risk 0.00cvss —epss 0.02
Lantronix SecureLinx Spider (SLS) 2.2+ devices have XSS in the auth.asp login page.
- CVE-2014-9003Nov 20, 2014risk 0.00cvss —epss 0.01
Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintServer allows remote attackers to hijack the authentication of administrators for requests that modify configuration, as demonstrated by executing arbitrary commands using the c parameter in the rpc action.
- CVE-2014-9002Nov 20, 2014risk 0.00cvss —epss 0.05
Lantronix xPrintServer does not properly restrict access to ips/, which allows remote attackers to execute arbitrary commands via the c parameter in an rpc action.
- CVE-2008-7201Sep 10, 2009risk 0.00cvss —epss 0.01
Lantronix MSS485-T allows remote attackers to cause a denial of service (unstable performance and service loss) via certain vulnerability scans, as demonstrated using (1) Nessus and (2) nmap.
- CVE-2007-5981Nov 15, 2007risk 0.00cvss —epss 0.01
Lantronix SCS3200 does not properly handle public-key requests, which allows remote attackers to cause a denial of service (unresponsive device) via unspecified keyscan requests. NOTE: the provenance of this information is unknown; the details are obtained solely from third…
- CVE-2005-2189Jul 11, 2005risk 0.00cvss —epss 0.01
Lantronix SecureLinx console server running firmware 2.0 and 3.0 stores /etc/ssh under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as SSH private keys.