CVE-2025-67038

CRITICAL(9.8)KEV — Aktiv ausgenutzt

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Risk Signal Score55/100 — HOCH

CVSS 9.8 — Kritisch
Im CISA KEV-Katalog (aktiv ausgenutzt)

Erwähnungen (letzte 60 Tage)

Artikel

CISA KEV

Bestätigt ausgenutzt

EPSS-Score

Exploit-Wahrscheinlichkeit (30 Tage)

CVSS Score

9.8

Technische Schwere

Beschreibung

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Referenzen

http://eds5000.com
http://lantronix.com
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-...