CVE-2025-70082 - Vulnerability Details

Description

An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component

Published: 2026-03-11

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An issue in Lantronix EDS3000PS firmware v.3.1.0.0R2 enables an attacker to execute arbitrary code through the ltrx_evo component and obtain sensitive information. The weakness involves OS command injection (CWE‑78), weak cryptographic key storage (CWE‑620), and improper logging or error handling (CWE‑288), allowing a compromised device to run arbitrary commands and expose confidential data.

Affected Systems

Devices referenced in the CPE data are the Lantronix EDS3008PS1NS and EDS3016PS1NS models running firmware version 3.1.0.0R2. While the CVE description names the EDS3000PS product, the provided CPE strings identify the EDS3008PS1NS/EDS3016PS1NS hardware, indicating that the vulnerability may affect these specific device variants with the cited firmware revision.

Risk and Exploitability

The CVSS base score of 9.8 classifies this flaw as critical, and an EPSS estimate under 1 % suggests that exploitation is currently unlikely. The vulnerability is not yet listed in CISA’s KEV catalog. The description does not specify authentication requirements; it is inferred that remote attackers able to reach the device over the network could invoke the ltrx_evo component and trigger the flaw, potentially leading to full system compromise and unauthorized data disclosure.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:lantronix:eds3016ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*

cpe:2.3:h:lantronix:eds3016ps1ns:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:lantronix:eds3008ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*

cpe:2.3:h:lantronix:eds3008ps1ns:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Lantronix

Eds3000ps

80%

Version	Status	Scheme	Platform
`[0,3.1.0.0R2]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Check the Lantronix website for any firmware updates for the EDS3008PS1NS and EDS3016PS1NS models and apply the latest patch if available
If a patch is not available, isolate affected devices behind a firewall and restrict network access to trusted internal hosts only
Enable detailed device logging and review logs for anomalous use of the ltrx_evo component
If feasible, disable or restrict the ltrx_evo service according to vendor guidance

Generated by OpenCVE AI on March 19, 2026 at 22:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
http://eds3000ps.com
http://lantronix.com
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02

History

Fri, 20 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Title		Arbitrary Code Execution via ltrx_evo Component in Lantronix EDS3000PS Firmware 3.1.0.0R2

Thu, 19 Mar 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lantronix eds3008ps1ns Lantronix eds3008ps1ns Firmware Lantronix eds3016ps1ns Lantronix eds3016ps1ns Firmware
CPEs		cpe:2.3:h:lantronix:eds3008ps1ns:-:::::::* cpe:2.3:h:lantronix:eds3016ps1ns:-:::::::* cpe:2.3:o:lantronix:eds3008ps1ns_firmware:3.1.0.0:r2:::::: cpe:2.3:o:lantronix:eds3016ps1ns_firmware:3.1.0.0:r2::::::
Vendors & Products		Lantronix eds3008ps1ns Lantronix eds3008ps1ns Firmware Lantronix eds3016ps1ns Lantronix eds3016ps1ns Firmware

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Lantronix Lantronix eds3000ps
Vendors & Products		Lantronix Lantronix eds3000ps

Wed, 11 Mar 2026 19:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-288 CWE-620 CWE-78
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 11 Mar 2026 16:30:00 +0000

Type	Values Removed	Values Added
Description		An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component
References		http://eds3000ps.com http://lantronix.com https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02

Subscriptions

Lantronix Eds3000ps Eds3008ps1ns Eds3008ps1ns Firmware Eds3016ps1ns Eds3016ps1ns Firmware

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-03-11T00:00:00.000Z

Updated: 2026-03-11T18:20:38.371Z

Reserved: 2026-01-09T00:00:00.000Z

Link: CVE-2025-70082

Vulnrichment

Updated: 2026-03-11T18:11:51.682Z

NVD

Status : Analyzed

Published: 2026-03-11T17:16:53.197

Modified: 2026-03-19T20:08:50.837

Link: CVE-2025-70082

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-20T14:33:43Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object