CVE-2025-67038

Name of the Vulnerable Software and Affected Versions Lantronix EDS5000 version 2.1.0.0R3

Description The HTTP RPC module in Lantronix EDS5000 series devices contains a code injection flaw. When user authentication fails, the module executes a shell command to write logs, directly concatenating the username parameter into the command without sanitization. This allows unauthenticated attackers to inject and execute arbitrary operating system commands with root privileges via the /cgi-bin/luci/rpc/auth endpoint. Approximately 54,500 instances have been identified globally, with nearly 32,000 devices exposed on Shodan. This issue was exploited as a zero-day starting April 5 by a threat cluster named Chaya 006, which used scanner IPs across Asia to target devices and establish callbacks to command-and-control servers.

Recommendations Apply the available security fixes to Lantronix EDS5000 version 2.1.0.0R3 immediately. Avoid using the username parameter in the /cgi-bin/luci/rpc/auth endpoint until the security fix is applied.