PT-2026-24723 · Lantronix · Eds5008 Firmware+2
Published
2026-03-11
·
Updated
2026-03-15
·
CVE-2025-67038
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Lantronix EDS5000 version 2.1.0.0R3
Description
An issue exists in the Lantronix EDS5000 where the HTTP RPC module executes a shell command to write logs upon user authentication failure. The
username parameter is directly concatenated into this command without proper sanitization, allowing attackers to inject arbitrary operating system commands. These injected commands are executed with root privileges. The vulnerable component is the HTTP RPC module. The affected API endpoint is not explicitly mentioned.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Eds5008 Firmware
Eds5016 Firmware
Eds5032 Firmware