LANTRONIX EDS5000 devices are under active attack after a command injection flaw was added to the CISA Known Exploited Vulnerabilities catalogue. The vulnerability tracked as CVE‑2025-67038 allows unauthenticated attackers to inject arbitrary operating system commands through the username parameter, which are then executed with root privileges.
CISA rates the flaw at CVSS 9.8, reflecting its potential for full device compromise. The issue resides in the EDS5000 series web interface where insufficient validation of the username field permits shell metacharacters to be passed directly to the underlying OS. No authentication is required to trigger the payload.
Successful exploitation grants the attacker complete control of the device, enabling data theft, lateral movement or the installation of persistent backdoors. As of the latest advisory a patch has not been released and no official workaround is provided by the vendor.
The inclusion of CVE‑2025-67038 in the Known Exploited Vulnerabilities list indicates that the flaw is being seen in the wild, although CISA has not attributed the activity to any specific threat actor. Organizations that rely on EDS5000 hardware for industrial networking should treat the issue as an immediate priority.
Defenders should isolate affected units from untrusted networks, restrict management access to known IP addresses and monitor logs for unusual username strings containing characters such as semicolons, ampersands or pipe symbols. Network segmentation and the use of jump hosts can limit the blast radius of a successful breach.
Administrators are advised to follow any future firmware announcements from Lantronix and to consider disabling remote management of the EDS5000 interface unless absolutely required. Deploying intrusion detection rules that look for command injection patterns in HTTP requests can provide early warning of ongoing attempts.