[KEV] CVE-2025-67038 -- CVSS 0.0 Vulnerability Briefing
[KEV] CVE-2025-67038 | CVSS 0.0 (Low) | Exploit: Operational
What Is It
CVE-2025-67038 is an OS command injection vulnerability in the Lantronix EDS5000 device server, exploitable through the username parameter of the device's interface.
Technical Detail
The flaw exists because user-supplied input in the username parameter is not properly sanitized before being passed to the underlying operating system, allowing an attacker to inject arbitrary OS commands. Exploitation does not require elevated privileges on the part of the attacker, as injected commands are executed directly with root privileges on the host system. The practical impact is unauthenticated or low-privilege remote code execution with full system control, including the ability to modify configurations, exfiltrate data, or pivot to connected network segments.
Exploitation Status
CISA has confirmed active exploitation in the wild, with this vulnerability added to the Known Exploited Vulnerabilities catalog on June 23, 2026. The exploit maturity is rated Operational, meaning functional exploit code capable of reliable, real-world use exists and is being actively leveraged against targets. This is not a theoretical or proof-of-concept risk.
Who Is Targeting This
No specific threat actor attribution at this time. Neither confirmed nor reported threat actor associations have been established for this vulnerability. Given the nature of the affected device class and confirmed active exploitation, opportunistic scanning and targeting by unattributed actors is the most likely current threat profile.
What To Do
Per CISA's Known Exploited Vulnerabilities binding directive, federal agencies and organizations subject to BOD 22-01 must apply vendor-supplied patches or implement mitigations by the deadline associated with the June 23, 2026 KEV listing. Administrators should immediately audit all Lantronix EDS5000 deployments, apply any available firmware updates from Lantronix, and restrict network access to the management interface using firewall rules or network segmentation. If a patch is not yet available, isolate affected devices from untrusted networks and disable remote access to the username parameter endpoint where operationally feasible. Detection efforts should focus on anomalous process execution originating from the EDS5000 service, unexpected outbound connections from device management interfaces, and authentication log anomalies indicating injection attempts.