CVE-2025-67039

Name of the Vulnerable Software and Affected Versions Lantronix EDS3000PS version 3.1.0.0R2

Description A security issue exists in Lantronix EDS3000PS version 3.1.0.0R2 where authentication on management pages can be bypassed. This bypass is achieved by appending a specific suffix to the URL and submitting an Authorization header utilizing 'admin' as the username. Successful exploitation allows attackers to bypass authentication. Reports indicate that attackers are chaining this authentication bypass with OS command injection flaws to gain root access on Lantronix devices, potentially enabling lateral movement across network infrastructure.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the management pages of the Lantronix EDS3000PS device.