CISA has added CVE‑2025‑67038 to its Known Exploited Vulnerabilities catalogue. The entry concerns the Lantronix EDS5000 series and is titled the Lantronix EDS5000 Code Injection Vulnerability. In a single sentence, the flaw permits attackers to inject arbitrary operating‑system commands through the username parameter, which are then executed with root privileges.
The vulnerability is a command‑injection defect that can be triggered remotely via unauthenticated input to the affected device. Successful exploitation grants the attacker full control of the EDS5000, allowing arbitrary code execution, data theft or further network penetration. The Common Vulnerability Scoring System assigns a score of 9.8, rating the issue as critical. According to the supplementary data, a patch has not been made available at the time of writing.
Because the CVE appears in the KEV catalogue, active exploitation has been confirmed in the wild. No ransomware‑related use has been reported for this specific flaw. CISA has set a remediation deadline of 26 June 2026 for federal agencies to address the vulnerability.
CISA’s required action is to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26‑04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26‑04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26‑04 patching guidelines.
While the directive binds Federal Civilian Executive Branch agencies, all organisations should review their exposure to the EDS5000 and implement the advised mitigations.
For full technical details, consult the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-67038 and the CISA KEV catalogue.