Critical Vulnerabilities in Lantronix EDS Series Allow Root-Level Takeover
Take action: If you are using Lantronix terminal servers, review this advisory. As usual, first priority is to isolate these devices from the public internet and restrict management access to trusted VPNs only. Then plan a quick update cycle, don't ignore these issues. There are two critical flaws that are trivial to exploit and hackers will find a way around the isolation given enough time.
Learn More
CISA reports eight security vulnerabilities affecting Lantronix EDS3000PS and EDS5000 terminal servers. These flaws could allow attackers to bypass authentication mechanisms and run arbitrary commands with root-level privileges.
Vulnerabilities summary:
- CVE-2025-67038 (CVSS score 9.8) - An OS command injection vulnerability in the HTTP RPC module that occurs when the system writes logs for failed authentication attempts. Attackers can inject malicious commands into the username parameter, which the system concatenates directly into a shell command, allowing unauthenticated remote code execution with root privileges.
- CVE-2025-67039 (CVSS score 9.8) - An authentication bypass vulnerability where attackers can access management pages by appending a specific suffix to the URL. By combining this suffix with an Authorization header using the "admin" username, an attacker can gain unauthorized access to the device configuration.
- CVE-2025-67034 (CVSS score 7.2) - An OS command injection flaw in the SSL credential deletion process. Authenticated attackers can use the "name" parameter to run commands as root because the management interface fails to sanitize input before execution.
- CVE-2025-67035 (CVSS score 7.2) - Multiple OS injection vulnerabilities within the SSH Client and SSH Server pages. The system does not sanitize parameters during the deletion of server keys, users, or known hosts, letting attackers run arbitrary code with root-level access.
- CVE-2025-67036 (CVSS score 7.2) - A command injection vulnerability in the Log Info page that allows users to view log files. Attackers can manipulate the file name parameter to escape the intended directory and run system commands with root privileges.
- CVE-2025-67037 (CVSS score 7.2) - An OS command injection flaw triggered when terminating a tunnel connection. Attackers can inject commands into the "tunnel" parameter, which the system executes with root privileges during the connection teardown.
- CVE-2025-67041 (CVSS score 7.2) - A command injection vulnerability in the TFTP client of the Filesystem Browser page. The host parameter lacks proper sanitization, allowing attackers to escape the original command and run arbitrary OS commands as root.
- CVE-2025-70082 (CVSS score 2.7) - An unverified password change vulnerability that allows the administrator password to be reset without knowing the current one. When chained with the authentication bypass (CVE-2025-67039), this allows unauthenticated attackers to take permanent control of the device.
The following product versions are confirmed to be affected:
- Lantronix EDS3000PS: Version 3.1.0.0R2
- Lantronix EDS5000: Version 2.1.0.0R3
Lantronix has released firmware updates to address these issues and recommends that all users apply them immediately. Users of the EDS3000PS series should upgrade to version 3.2.0.0R2, while EDS5000 users should move to version 2.2.0.0R1.
CISA advises organizations to isolate these devices from the internet, place them behind firewalls, and use secure VPNs for any required remote access to minimize the attack surface.
