External risk intelligence

Lantronix EDS3000PS TFTP Host Parameter Allows Root Command Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-67041

The device is a terminal server/gateway designed for network management and connectivity, which are typically deployed as edge or infrastructure-facing appliances. The vulnerable component is part of a web-based management interface, which is commonly exposed to administrative networks or the internet for remote device access.

OS Command Injection

Lantronix Eds3016ps1ns Firmware

3.1.0.0r2

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Lantronix EDS3000PS devices that could allow an unauthorized individual to execute arbitrary commands with root privileges by exploiting a flaw in the TFTP client's host parameter handling. The issue resides within the Filesystem Browser page of the affected technology.

  • Unsanitized input allows system command execution.
  • Critical flaw allows complete device compromise.
  • Confirm relevance and exposure for management devices.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to the TFTP client feature accessible through the device's web interface. Since no authentication is required and the TFTP client's host parameter is not properly checked, an attacker can inject commands. This allows them to execute arbitrary commands with root privileges on the affected device.

  • No authentication required.
  • Unsanitized TFTP client host parameter.
  • Arbitrary root command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands with root privileges on the affected device. This is possible when the TFTP client's host parameter in the Filesystem Browser page is manipulated to escape the intended command and inject malicious ones.

  • Arbitrary command execution with root privileges.
  • Network access to the vulnerable web interface.
  • System compromise and unauthorized control.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Lantronix EDS3000PS device firmware contains a critical vulnerability that allows for remote code execution with root privileges. Given this is a network-attached appliance, infrastructure and network security teams are primarily responsible for managing its exposure and remediation. The first practical step is to identify all deployed instances of this device, confirm network reachability, and assess its business criticality to prioritize response.

  • Identify device owners and assess exposure.
  • Verify network access and impact.
  • Plan and execute vendor-coordinated remediation.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Lantronix EDS3000PS?

The Lantronix EDS3000PS is a series of terminal servers and device gateways. These appliances are used to bridge legacy serial devices to modern IP networks, providing critical management and connectivity for infrastructure equipment. The affected firmware versions manage device settings through a built-in web interface, which includes tools like a Filesystem Browser for administrative tasks.

What does CWE-78 mean for CVE-2025-67041?

This vulnerability involves OS Command Injection, classified as CWE-78. It means the application takes input from a user—in this case, the host parameter in the TFTP client—and passes it to a system shell without cleaning it first. An attacker can manipulate this input to break out of the intended function and force the device to run unauthorized commands with root-level control.

How can an attacker trigger this command injection?

An attacker triggers this by sending a specially crafted request to the web-based Filesystem Browser page. Because the vulnerability does not require any prior authentication, the request can be sent by anyone who can reach the device's web interface. Simply navigating the interface normally will not trigger the bug; the attacker must intentionally send malicious, malformed data to the TFTP host field to force the command execution.

Do I need to worry if my device is internal?

Halo Surface Signal indicates that while these devices are often deployed on administrative networks, they are frequently exposed to broader network segments for remote management. If your device interface is accessible from a network where unauthorized parties could reach it, the risk is high. Even internal placement may not protect you if the management network is reachable by other compromised systems or segments.

What should I do first to address this?

Start by identifying all instances of the Lantronix EDS3000PS across your environment to understand your footprint. Once mapped, confirm whether the web management interface is reachable over the network and evaluate its necessity for remote access. Prioritize restricting network access to these interfaces immediately while coordinating with the vendor for available firmware updates.

References