Lantronix EDS5000 CVE-2025-67038 Actively Exploited in BRIDGE:BREAK Campaign
On June 23, 2026, CISA added CVE-2025-67038, an unauthenticated remote code execution vulnerability impacting Lantronix EDS5000 Series devices, to its Known Exploited Vulnerabilities (KEV) catalog, citing active exploitation. This critical flaw (CVSS 9.8) allows full device takeover with root privileges, posing a severe risk to operational technology (OT) and critical infrastructure environments. Federal Civilian Executive Branch (FCEB) agencies must patch affected systems by June 26, 2026, per Binding Operational Directive (BOD) 22-01, as reported by DailyCybersecurity. Patch it now.
What Happened
Forescout Research Vedere Labs initially disclosed CVE-2025-67038 in April 2026 as part of a broader set of 22 vulnerabilities dubbed "BRIDGE:BREAK," affecting various serial-to-IP converters, according to SentinelOne. This specific flaw targets Lantronix EDS5000 Series devices running firmware version 2.1.0.0R3 and earlier. The vulnerability is a code injection flaw within the device's HTTP RPC module.
When an authentication attempt fails on the device, the module executes a shell command to log the event. The critical error is that the username supplied by the attacker is directly concatenated into this shell command without any sanitization. This unsanitized input allows an unauthenticated attacker to inject arbitrary operating system commands.
Since this logging functionality operates with root privileges, any injected commands are executed with elevated permissions, granting the attacker full control over the device, as TheHackerNews reported. CISA confirmed active exploitation by June 23, 2026, adding it to their KEV catalog. Attackers are currently using this exploit in the wild.
Why It Matters
CVE-2025-67038 represents a direct path to full device compromise on critical infrastructure. Serial-to-IP converters like the Lantronix EDS5000 bridge legacy industrial equipment and modern IP networks. Exploiting them allows attackers to move laterally from IT to OT networks, control industrial processes, and cause significant disruption.
Forescout identified approximately 20,000 such serial-to-IP converters from major vendors, including Lantronix, directly exposed to the internet, SentinelOne claims. Industries such as utilities, healthcare, manufacturing, retail, financial services, and transportation all rely on these devices.
Successful exploitation can lead to operational disruption, tampering with sensor values, modification of actuator behavior, and even safety risks. This includes control over railway signaling, fire alarm systems, or fuel management systems. The impact extends beyond data exfiltration; it can directly affect physical operations and human safety, SecurityAffairs reported. This vulnerability is critical.
Affected Scope & Remediation
CVE-2025-67038 specifically affects Lantronix EDS5000 Series devices running firmware version 2.1.0.0R3 and earlier. These serial-to-IP converters are foundational to many OT environments, translating commands between legacy serial equipment and IP-based management systems.
Lantronix has released a patch for this critical issue. Users must upgrade their EDS5000 devices to firmware version 2.2.0.0R1 immediately. For FCEB agencies, CISA's BOD 22-01 mandates patching by June 26, 2026, just 3 days after its KEV catalog inclusion, as DailyCybersecurity reported. This deadline highlights the urgency of the threat.
| Product | Vulnerable Version Range | Fixed Version |
|---|---|---|
| Lantronix EDS5000 Series | <= 2.1.0.0R3 | 2.2.0.0R1 |
Patch Links:
- Lantronix Advisory: Lantronix EDS5000 Support (check for firmware downloads and advisories).
- NVD Entry: CVE-2025-67038
- CISA KEV Catalog Reference: CISA KEV Catalog
Timeline:
- April 2026: Initial disclosure by Forescout Research Vedere Labs as part of BRIDGE:BREAK.
- June 23, 2026: CISA adds CVE-2025-67038 to its KEV catalog, confirming active exploitation.
- June 26, 2026: CISA's mandated patching deadline for FCEB agencies.
If immediate patching isn't possible, strong network segmentation and access controls are paramount. Place these devices behind firewalls, limit their exposure to only necessary internal networks, and ensure they are not directly accessible from the internet. Cloudflare Zero Trust can help implement strict access policies for remote management without exposing the devices directly. Monitoring network traffic for unusual activity originating from these devices can also buy time, and tools like SentinelOne can provide endpoint visibility on connected IT assets.
Technical Breakdown
The core of CVE-2025-67038 lies in a classic code injection vulnerability within the HTTP RPC module of the Lantronix EDS5000. When an unauthenticated user attempts to log in and that attempt fails, the device's logging mechanism kicks in. Instead of simply logging the failed attempt, the system constructs a shell command to record the event. The fatal flaw is that the username field provided by the attacker is directly embedded into this shell command without any proper sanitization or escape characters.
Imagine a security guard at a building (the EDS5000 device). When someone tries to enter with the wrong credentials, the guard writes down their name in a logbook. If an attacker gives their "name" as '; rm -rf / ;', the guard, instead of just writing the literal string, executes it because the logbook entry system is designed to directly run anything that looks like a command. Since the guard has master keys (root privileges), the command runs with full authority.
This means an attacker can provide a username like 'attacker'; arbitrary_command_here # during a failed authentication. The server then attempts to log this "username" by executing something like logger -p auth.err "Failed login for 'attacker'; arbitrary_command_here #'". The shell sees the semicolon, terminates the logging command, and executes arbitrary_command_here with root privileges.
This attack maps directly to T1190 Exploit Public-Facing Application for initial access, as the vulnerability is in an externally facing HTTP service. Once arbitrary commands are executed with root privileges, it also aligns with T1068 Exploitation for Privilege Escalation. Preventing this kind of attack falls under NIST SP 800-53 control SI-10 Information Input Validation, which emphasizes the need to validate all input to prevent command injection. Additionally, AC-6 Least Privilege would dictate that logging functions, especially those handling external input, should not execute with root privileges.
Historical Context
Attackers exploiting serial-to-IP converters in critical infrastructure is a recurring nightmare for OT security teams. The 2015 Ukraine power grid attack, where Russian threat actors, believed to be the Sandworm group, used compromised Moxa devices—another brand of serial-to-IP converter—to gain control and disrupt power distribution, is a notable incident. This resulted in widespread blackouts for hundreds of thousands of citizens, as Wired reported.
More recently, a December 2025 attack on Polish wind and solar farms involved the compromise of Moxa NPort servers, underscoring the ongoing threat these devices pose to renewable energy infrastructure, Reuters reported.
The similarity lies in the target: serial-to-IP converters acting as conduits to industrial control systems. These devices are often forgotten, unpatched, and directly exposed. The difference in CVE-2025-67038 is the specific command injection vector and the explicit use of unauthenticated access for root compromise. The pattern remains: small, often overlooked devices are critical attack surfaces.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 9.8 | CVE-2025-67038 NVD Entry |
| Exposed Devices | 20,000+ | SentinelOne claims Forescout identified this number |
| CISA KEV to Patch Deadline | 3 days | DailyCybersecurity |
| Initial Disclosure | April 2026 | SentinelOne |
| Vulnerability Type | Code Injection | TheHackerNews |
The CVEDaily Take
This isn't a complex zero-day with novel techniques; it's a fundamental input validation failure with severe consequences. The active exploitation and CISA's KEV listing underscore the immediate threat. This vulnerability provides a straightforward, unauthenticated root shell — a dream scenario for any attacker targeting OT. We think Forescout is likely understating the potential impact, given the ubiquity of these devices and the documented history of similar compromises.
When was the last time your team audited your serial-to-IP converters for direct internet exposure?
FAQ
Q1: What specific actions should I take immediately regarding Lantronix EDS5000 devices?
A1: Immediately upgrade any Lantronix EDS5000 Series devices to firmware version 2.2.0.0R1 or later. If immediate patching is not feasible, isolate the devices from direct internet access, implement strict firewall rules to limit network exposure to only trusted internal management networks, and monitor for any unusual outbound connections.
Q2: How can I detect if my Lantronix EDS5000 devices are compromised by CVE-2025-67038?
A2: Since the vulnerability grants root access, detecting compromise can be challenging if an attacker cleans up their tracks. Look for unexpected outgoing network connections from the device, unusual log entries indicating command execution (though these might be suppressed), or unauthorized configuration changes. Reviewing firewall logs for connections to known malicious IPs from the device could also be an indicator.
Q3: What is the BRIDGE:BREAK campaign?
A3: BRIDGE:BREAK is a set of 22 vulnerabilities initially disclosed by Forescout Research Vedere Labs in April 2026. It targets serial-to-IP converters from various vendors, including Lantronix and Silex, highlighting critical security flaws in devices that bridge legacy serial equipment with modern IP networks. CVE-2025-67038 is one of the critical vulnerabilities identified within this campaign.
