Description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Published: 2026-03-11
Score: 9.8 Critical
EPSS: 1.1% Low
KEV: Yes
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability occurs in the HTTP RPC module of Lantronix EDS5000 versions 2.1.0.0 R3 where an authentication failure log command is constructed by directly concatenating the supplied username into a shell command. This lack of input sanitization allows an attacker to inject and execute arbitrary OS commands. Because the command is run with root privileges, the impact is full system compromise with potentially unlimited control over the device and connected network. Key weakness: CWE‑94 – Improper Control of Generation of Code via User‑Supplied Input.

Affected Systems

Affected products are Lantronix EDS5000 series devices, including the EDS5008, EDS5016, and EDS5032 models, all running firmware version 2.1.0.0 R3.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity with an attack vector over the network. Although the EPSS score is below 1%, the CVE’s addition to the CISA KEV catalog indicates it is a known, potentially actively exploited vulnerability. The lack of a publicly known exploit does not diminish the risk if attackers target these devices. A remote attacker can craft a username containing shell commands, trigger an authentication failure, and have those commands executed as root via the HTTP RPC interface. Due to the root execution context, any command such as creating backdoors, exfiltrating data, or interrupting services can be performed.

Generated by OpenCVE AI on June 24, 2026 at 12:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the firmware of Lantronix EDS5000 series devices to the latest release that removes the vulnerable RPC logging code.
  • If an upgrade is not immediately possible, restrict network access to the HTTP RPC interface or place the device behind a firewall that blocks unauthorized traffic.
  • Consider disabling the HTTP RPC service entirely if it is not required for legitimate operations.
  • Enable logging and monitoring to detect any suspicious command execution attempts.

Generated by OpenCVE AI on June 24, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 13:00:00 +0000

Type Values Removed Values Added
Title Root Privilege OS Command Injection via Unchecked Username in HTTP RPC Logging

Wed, 24 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Title Root Privilege OS Command Injection via Unchecked Username in HTTP RPC Logging

Tue, 23 Jun 2026 23:15:00 +0000

Type Values Removed Values Added
Title Root Privilege OS Command Injection via Unvalidated Username in Lantronix EDS5000 Logging

Tue, 23 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
References
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 23 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2026-06-23T00:00:00+00:00', 'dueDate': '2026-06-26T00:00:00+00:00'}

Fri, 20 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
Title Root Privilege OS Command Injection via Unvalidated Username in Lantronix EDS5000 Logging

Thu, 19 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Lantronix eds5008
Lantronix eds5008 Firmware
Lantronix eds5016
Lantronix eds5016 Firmware
Lantronix eds5032
Lantronix eds5032 Firmware
CPEs cpe:2.3:h:lantronix:eds5008:-:*:*:*:*:*:*:*
cpe:2.3:h:lantronix:eds5016:-:*:*:*:*:*:*:*
cpe:2.3:h:lantronix:eds5032:-:*:*:*:*:*:*:*
cpe:2.3:o:lantronix:eds5008_firmware:2.1.0.0:r3:*:*:*:*:*:*
cpe:2.3:o:lantronix:eds5016_firmware:2.1.0.0:r3:*:*:*:*:*:*
cpe:2.3:o:lantronix:eds5032_firmware:2.1.0.0:r3:*:*:*:*:*:*
Vendors & Products Lantronix eds5008
Lantronix eds5008 Firmware
Lantronix eds5016
Lantronix eds5016 Firmware
Lantronix eds5032
Lantronix eds5032 Firmware

Thu, 12 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Lantronix
Lantronix eds5000
Vendors & Products Lantronix
Lantronix eds5000

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
References

Subscriptions

Lantronix Eds5000 Eds5008 Eds5008 Firmware Eds5016 Eds5016 Firmware Eds5032 Eds5032 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-24T03:55:55.179Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67038

cve-icon Vulnrichment

Updated: 2026-03-12T16:05:43.751Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T17:16:52.010

Modified: 2026-06-17T09:57:23.827

Link: CVE-2025-67038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')