PatchSiren cyber security CVE debrief
CVE-2025-67037 Unknown Vendor CVE debrief
CVE-2025-67037 is a high-severity authenticated command-injection vulnerability affecting Lantronix EDS5000 firmware as described in the CISA advisory published on 2026-03-10. An attacker with valid access can inject operating-system commands through the "tunnel" parameter while killing a tunnel connection, and the injected commands execute with root privileges. Lantronix recommends upgrading EDS5000 to firmware 2.2.0.0R1.
- Vendor
- Unknown Vendor
- Product
- Lantronix EDS3000PS 3.1.0.0R2 EDS5000 2.1.0.0R3
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-10
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-10
Who should care
OT/ICS defenders, network administrators, and incident responders responsible for Lantronix EDS5000 deployments, especially systems running 2.1.0.0R3 or otherwise exposed to authenticated management access. Security teams should also review any EDS3000PS/EDS5000 inventory where product naming or firmware scope is unclear.
Technical summary
The supplied advisory describes a CWE-78-style OS command injection in the tunnel-termination path. The attack requires authentication (CVSS PR:H), but once reached it allows command execution as root on the device. The source metadata ties the issue to Lantronix EDS5000 2.1.0.0R3, while the advisory title and remediation guidance also cover the Lantronix EDS3000PS/EDS5000 family context. The vendor-recommended fix is EDS5000 firmware 2.2.0.0R1.
Defensive priority
High. Authenticated root-level command execution on a networked industrial device warrants prompt remediation, especially where the device is reachable from broader admin or operational networks.
Recommended defensive actions
- Inventory all Lantronix EDS5000 and related EDS3000PS devices and confirm the installed firmware version.
- Upgrade affected EDS5000 systems to firmware 2.2.0.0R1, as recommended by the vendor for CVE-2025-67034 through CVE-2025-67038.
- Restrict authenticated administrative access to trusted management networks and review which accounts can manage tunnel connections.
- Monitor device and management logs for unusual tunnel-termination activity or unexpected command execution.
- After patching, verify firmware version and confirm normal tunnel-management behavior in a maintenance window.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-069-02 (published 2026-03-10) and the linked official references for CVE-2025-67037. The supplied advisory text states that an authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection and that injected commands run with root privileges. The provided CVSS vector is CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2 HIGH). The vendor remediation in the supplied corpus recommends upgrading EDS5000 to 2.2.0.0R1. The source metadata is somewhat inconsistent on vendor/product naming, so scope should be validated against the official advisory and local asset inventory.
Official resources
-
CVE-2025-67037 CVE record
CVE.org
-
CVE-2025-67037 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA on 2026-03-10 as ICSA-26-069-02 / CVE-2025-67037.