PatchSiren cyber security CVE debrief
CVE-2025-67038 Unknown Vendor CVE debrief
CVE-2025-67038 is a critical command-injection issue disclosed in CISA’s advisory ICSA-26-069-02 on 2026-03-10. The advisory says the HTTP RPC module on affected Lantronix devices builds a shell command to write logs when authentication fails, and the username value is concatenated without sanitization. That means a network attacker can inject operating-system commands through the username parameter and, per the advisory, execute them with root privileges.
- Vendor
- Unknown Vendor
- Product
- Lantronix EDS3000PS 3.1.0.0R2 EDS5000 2.1.0.0R3
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-03-10
- Original CVE updated
- 2026-03-10
- Advisory published
- 2026-03-10
- Advisory updated
- 2026-03-10
Who should care
Organizations using Lantronix EDS3000PS or EDS5000 devices, especially OT/ICS teams, plant operators, network/security administrators, and anyone exposing the devices’ HTTP RPC or management interfaces.
Technical summary
The supplied advisory describes an OS command injection condition in the HTTP RPC module’s failed-login logging path. Because the username is inserted directly into a shell command without sanitization, an attacker can supply crafted input that becomes part of the command line. The impact is severe: the advisory states injected commands run with root privileges. The source material ties the issue to Lantronix EDS5000 2.1.0.0R3 and also lists EDS3000PS 3.1.0.0R2 in product metadata.
Defensive priority
Immediate / Critical. Treat as an urgent patch-and-contain issue for any exposed affected device.
Recommended defensive actions
- Upgrade affected devices to Lantronix EDS5000 version 2.2.0.0R1, as recommended in the advisory.
- If you also operate EDS3000PS devices referenced in the advisory metadata, verify with Lantronix whether the same fixed firmware path applies before deploying changes.
- Restrict network access to device management and HTTP RPC interfaces to trusted admin networks only.
- Audit exposure of the management service and remove any unnecessary internet-facing or cross-segment access.
- Monitor device logs and surrounding network telemetry for suspicious authentication attempts or unexpected command execution activity.
- Use the CISA advisory and Lantronix firmware guidance to confirm model/firmware applicability before maintenance windows.
Evidence notes
All substantive claims are drawn from the supplied CISA CSAF advisory (ICSA-26-069-02) and its referenced official links. The advisory text explicitly states that the HTTP RPC module executes a shell command during failed authentication, that the username is concatenated without sanitization, and that injected commands run with root privileges. The remediation section recommends upgrading to EDS5000 2.2.0.0R1. The supplied enrichment indicates the issue is not in CISA KEV. The vendor metadata in the prompt is inconsistent/low-confidence, so product applicability should be verified against the official Lantronix advisory and firmware page.
Official resources
-
CVE-2025-67038 CVE record
CVE.org
-
CVE-2025-67038 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in advisory ICSA-26-069-02 on 2026-03-10, which is also the CVE publication date supplied in the corpus. The supplied enrichment marks the issue as not listed in CISA KEV.