What is the CVSS score of CVE-2025-67038?

CVE-2025-67038 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Lantronix EDS5000 are affected by CVE-2025-67038?

A critical vulnerability in Lantronix EDS5000 devices (CVE-2025-67038) allows unauthenticated attackers to execute arbitrary shell commands through failed authentication attempts, potentially…

How to fix or mitigate CVE-2025-67038?

Within 24 hours: Inventory all Lantronix EDS5000 devices running version 2.1.0.0R3 and isolate affected systems from critical network segments. Within 7 days: Implement network-level access controls restricting HTTP RPC module exposure and enable enhanced logging and monitoring for authentication failures on affected devices. Within 30 days: Evaluate vendor security updates, contact Lantronix for patch availability or end-of-life guidance, and develop migration plan for replacement or remediation.

Lantronix EDS5000 CVE-2025-67038

CRITICAL

Code Injection (CWE-94)

2026-03-11 cve@mitre.org

Command Injection

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:06 vuln.today

CVE Published

Mar 11, 2026 - 17:16 nvd

CRITICAL 9.8

DescriptionCVE.org

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Articles & Coverage 1

vulnerability.circl.lu Lantronix EDS3000PS/EDS5000 Multiple Critical Vulnerabilities (CVE-2025-67034 to CVE-2025-70082) Mar 11, 2026

AnalysisAI

Critical vulnerability in Lantronix EDS serial device server (EDS5000/EDS3000PS). Multiple injection and auth bypass vulnerabilities in the management interface.

Technical ContextAI

Multiple vulnerability types in Lantronix EDS management interface.

Affected ProductsAI

Lantronix EDS5000/EDS3000PS

RemediationAI

Apply firmware update. Restrict management access.

CVE-2025-67038 vulnerability details – vuln.today

Back

Lantronix EDS5000 CVE-2025-67038

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

Articles & Coverage 1

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code