ByteOS Network

EDS5000

Source -

CISA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

1Vulnerabilities found

CVE-2025-67038

Assigner-MITRE Corporation

View Details

Assigner-MITRE Corporation

CVSS Score-9.8||CRITICAL

EPSS-0.47% / 36.91%

7 Day CHG~0.00%

Published-11 Mar, 2026 | 00:00

Updated-24 Jun, 2026 | 05:17

Known KEV||Action Due Date - 2026-06-26||Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Vendor-lantronix n/a Lantronix

Product-eds5016_firmware eds5008 eds5008_firmware eds5032 eds5016 eds5032_firmware n/a EDS5000

CWE ID-CWE-94

Improper Control of Generation of Code ('Code Injection')