Lantronix EDS5000 CVE-2025-67038: Patch Root RCE Now

Lantronix EDS5000 administrators should treat CVE-2025-67038 as an urgent edge-device incident, not a routine firmware ticket. CISA added the flaw to its Known Exploited Vulnerabilities catalog on June 23, 2026, after confirming active exploitation, and set a June 26 remediation deadline for covered federal systems.¹

The vulnerability affects Lantronix EDS5000 serial device servers. NVD describes the issue in the HTTP RPC module: when authentication fails, the device builds a shell command for logging, concatenates the supplied username without proper sanitization, and can execute injected OS commands with root privileges.² CISA-ADP rates it 9.8 critical with a network attack vector, no required privileges, no user interaction, and high impact to confidentiality, integrity, and availability.²

That combination matters because EDS5000 units are not ordinary office endpoints. They are serial-to-IP bridge devices used to connect legacy serial equipment to IP networks. Forescout’s BRIDGE:BREAK research warned that this class of equipment appears across utilities, healthcare, manufacturing, retail, financial services, transportation, and other environments, and that compromised converters can support denial of service, sensor or actuator data tampering, and lateral movement.³

The immediate affected scope called out by NVD includes Lantronix EDS5008, EDS5016, and EDS5032 hardware paired with EDS5000 firmware 2.1.0.0R3.² Lantronix lists EDS5000 firmware 2.2.0.0R1 as the current released version for the EDS5008, EDS5016, and EDS5032 series.⁴ If an EDS5000 appliance is reachable from the internet, a partner network, a remote-access segment, or a flat OT subnet, patching should be paired with exposure reduction rather than treated as a version-only task.

What to check before the June 26 deadline

Start with inventory. Search for EDS5008, EDS5016, and EDS5032 units, confirm firmware versions, and identify which management interfaces are reachable from outside the local operations network. Any unit still running 2.1.0.0R3 should be upgraded or isolated. If maintenance windows make immediate firmware work difficult, remove internet exposure, restrict management access to a trusted admin network or jump host, and block untrusted HTTP access until the device can be updated.

Next, assume that successful exploitation may leave more than a normal web-login trace. Review failed-authentication logs for usernames containing shell metacharacters, command separators, long encoded strings, unexpected paths, or attempts that cluster around EDS management endpoints. Check device configuration, admin accounts, startup scripts, scheduled tasks, and outbound connections for changes that do not match normal operations. Because the injection runs as root, a clean firmware update alone may not be enough if the device has already been modified.

This is the same operational pattern defenders have seen with other network edge incidents: a narrow device bug becomes a broader incident when exposed management surfaces, weak segmentation, or stale credentials give attackers a foothold. The recent UniFi OS root RCE chain showed why patching should be paired with credential and secret review. The AryStinger router botnet story is a reminder that old network appliances often remain useful to attackers long after they stop looking important. The FortiBleed credential leak also underlines why firewall, VPN, and bridge-device logs deserve review after an edge compromise.

For OT and industrial networks, the practical priority is containment. Put EDS5000 management behind a documented administrative path, deny broad lateral reach from the converter to sensitive systems, and confirm that serial-linked equipment does not implicitly trust commands from a compromised bridge. If a unit cannot be patched quickly, document that exception, segment it, and monitor it like an exposed control-plane asset until replacement or upgrade is complete.

References

1. Cybersecurity and Infrastructure Security Agency, Known Exploited Vulnerabilities Catalog entry for CVE-2025-67038, added June 23, 2026.
2. National Vulnerability Database, CVE-2025-67038 detail page and CISA-ADP scoring data.
3. Forescout Vedere Labs, BRIDGE:BREAK research on Lantronix and Silex serial-to-IP converter vulnerabilities.
4. Lantronix Tech Support, latest firmware page for the EDS5000 series.
5. The Hacker News, coverage of CISA’s active-exploitation warning for Lantronix EDS5000 CVE-2025-67038.