External risk intelligence

Lantronix EDS5000 OS Injection Vulnerability Allows Root Command Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-67035

The device is a Lantronix EDS series terminal server, an infrastructure appliance intended for network-based management of serial devices. These gateways are frequently deployed in roles requiring network accessibility, often exposing management interfaces to facilitate administrative tasks, which increases the likelihood of exposure.

Code Injection

Lantronix Eds5032 Firmware

2.1.0.0r3

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Lantronix EDS devices, specifically impacting their SSH capabilities. This flaw allows for the injection of arbitrary commands with root privileges, posing a significant risk to system integrity and security.

  • Unsanitized input allows attackers to run commands as root.
  • Critical system control could be compromised remotely.
  • Confirm device exposure and evaluate related security controls.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to the device over the network. This input targets the SSH Client or SSH Server settings, which lack proper validation. If successful, the attacker can inject and execute arbitrary commands with the highest level of system privileges, potentially leading to full system compromise.

  • Network access required.
  • Input unsanitized on SSH pages.
  • Full system control risk.

Live Threat

Current exploitation, exposure, and threat context

An unauthenticated attacker could inject arbitrary commands into the Lantronix EDS5000's SSH Client and Server pages when performing delete actions. This could allow for the execution of commands with root privileges on the affected system.

  • System commands could be executed.
  • Via missing input sanitization.
  • Full system compromise may occur.

Operational Fix

Recommended remediation, mitigation, and detection steps

The critical vulnerabilities in Lantronix EDS5000 devices impact devices with the specified firmware, often deployed as network-accessible infrastructure appliances for serial device management. Infrastructure and security teams should prioritize identifying all instances of this technology, assessing their network exposure and business criticality, and locating the accountable owner for remediation planning.

  • Identify affected devices and owners.
  • Verify network reachability and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Lantronix EDS5000?

The Lantronix EDS5000 is an infrastructure appliance designed to act as a terminal server. It is primarily used to manage serial devices over a network, allowing organizations to connect and control legacy hardware or industrial equipment remotely through an IP-based interface.

What does CVE-2025-67035 mean for the device?

This vulnerability is classified as an OS command injection flaw (CWE-94). It occurs because the device fails to clean user-supplied input on its SSH management pages. Essentially, the software blindly trusts input strings, allowing an attacker to insert their own system commands that the device then executes with full root-level privileges.

How is this vulnerability triggered?

An attacker triggers this by interacting with specific 'delete' actions within the SSH Client or SSH Server configuration pages. By providing malicious input during these operations, they can force the system to execute unauthorized commands. The vulnerability does not require complex manipulation; it is triggered by sending crafted, unsanitized parameters through the device's web interface.

Is my Lantronix EDS5000 at risk?

According to Halo Surface Signal, these devices are infrastructure gateways often intentionally placed on networks to allow remote management. Because they are typically network-accessible, the risk of exposure is higher for units that allow web access from outside the immediate local environment. If your device is reachable via the network, it faces a significant risk of remote command execution.

What should I do if I use this hardware?

First, identify all deployed EDS5000 units in your environment and determine who manages them. Assess how these devices are positioned on your network to see if their management interfaces are exposed more broadly than necessary. Consult official Lantronix resources to confirm your firmware status and follow standard security practices for restricting access to sensitive management consoles.

References