What is Lantronix EDS5000?
Lantronix EDS5000-series devices (EDS5008, EDS5016, EDS5032) are serial-to-Ethernet/IP converters used throughout industrial control systems (ICS), healthcare, and critical infrastructure. They bridge legacy serial devices — PLCs, meters, sensors, building management systems — to modern IP networks, enabling remote management and data collection over TCP/IP. Their deep integration in OT environments and tendency to be internet-exposed for remote access make them high-value targets for attackers seeking a foothold in operational networks.
Overview
CVE-2025-67038 is a pre-authentication OS command injection vulnerability in the Lantronix EDS5000 web management interface. An unauthenticated attacker can inject arbitrary shell commands into the username field of the HTTP RPC authentication endpoint; the injected commands execute with root privileges. CISA added this vulnerability to the KEV catalog on June 23, 2026, with a three-day remediation deadline reflecting confirmed exploitation in the wild.
Forescout Vedere Labs discovered this flaw as part of BRIDGE:BREAK, a coordinated research project that identified 22 vulnerabilities across Lantronix and Silex serial-to-IP converters deployed in critical infrastructure.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Lantronix EDS5008 | Firmware ≤ 2.1.0.0R3 | 2.2.0.0R1 |
| Lantronix EDS5016 | Firmware ≤ 2.1.0.0R3 | 2.2.0.0R1 |
| Lantronix EDS5032 | Firmware ≤ 2.1.0.0R3 | 2.2.0.0R1 |
Technical Details
The EDS5000 web management interface includes an HTTP RPC module that logs authentication failures by constructing a shell command containing the submitted username. The log-write routine concatenates the raw username value directly into a shell command string without sanitization or escaping — a classic OS command injection pattern.
An attacker submits a crafted username containing shell metacharacters (;, &&, |) to the login endpoint. The authentication-failure log routine executes the expanded shell string as root, giving the attacker arbitrary command execution on the underlying Linux OS with no prior credentials required.
Key characteristics:
- No authentication required — exploitable against the unauthenticated login endpoint
- Root-level execution — injected commands run under the
rootaccount - Single HTTP request — no multi-step chain needed
- CVSS 9.8 — network-accessible, low complexity, no privileges, no user interaction
Discovery
CVE-2025-67038 was discovered by Francesco La Spina and Stanislav Dashevskyi of Forescout Vedere Labs as part of the BRIDGE:BREAK research project. The project targeted serial-to-Ethernet converters from Lantronix and Silex widely deployed in critical infrastructure. Researchers identified 22 vulnerabilities across the two product families and coordinated disclosure through CISA, which published ICS Advisory ICSA-26-069-02 on March 10, 2026. Forescout publicly released the full BRIDGE:BREAK research in April 2026.
Exploitation Context
CISA's KEV designation confirms this vulnerability has been exploited in the wild. Forescout's internet scanning found approximately 20,000 serial-to-Ethernet converters internet-exposed globally at the time of the April 2026 BRIDGE:BREAK publication.
EDS5000 devices in OT environments are particularly attractive targets: successful exploitation provides root access to a device that bridges serial control networks, enabling lateral movement into otherwise air-gapped industrial systems, traffic manipulation between serial devices and IP networks, and persistent access to infrastructure that is rarely monitored for anomalous behavior.
The three-day CISA remediation deadline (June 26, 2026) reflects the severity of exploitation risk in critical infrastructure environments.
Remediation
- Upgrade firmware to version 2.2.0.0R1 or later on all EDS5000-series devices (EDS5008, EDS5016, EDS5032) immediately.
- Isolate web management interfaces — restrict access to the EDS5000 HTTP/HTTPS admin interface to trusted management networks only; block inbound access from the internet at the network perimeter.
- Audit internet exposure — use firewall rules or internet scanning to identify any EDS5000 devices with publicly reachable management ports and immediately restrict access.
- Review authentication logs for signs of prior exploitation: repeated authentication failures with unusual username content (shell metacharacters, semicolons, backticks) indicate prior attempts.
- Assess for persistence — if a device was accessible during the vulnerability window, perform forensic review before trusting it; consider factory reset if compromise cannot be ruled out.
- Apply network segmentation — where possible, place serial-to-Ethernet converters on isolated OT VLANs with no direct internet path, regardless of firmware version.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-67038 |
| Vendor / Product | Lantronix — EDS5000 |
| NVD Published | 2026-03-11 |
| NVD Last Modified | 2026-06-23 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-94 find similar ↗ |
| CISA KEV Added | 2026-06-23 |
| CISA KEV Deadline | 2026-06-26 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2026-03-10 | CISA ICS Advisory ICSA-26-069-02 published |
| 2026-03-11 | CVE published |
| 2026-06-23 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2026-06-26 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| NVD — CVE-2025-67038 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| CISA ICS Advisory ICSA-26-069-02 — Lantronix EDS3000PS and EDS5000 | US Government |
| Lantronix EDS5000 Series Latest Firmware | Vendor Advisory |
| Forescout Vedere Labs — BRIDGE:BREAK Research | Security Research |
| 22 BRIDGE:BREAK Flaws Expose 20,000 Serial-to-Ethernet Converters | News |