What is the vulnerability affecting Lantronix EDS5000 serial-to-IP devices?

The vulnerability, tracked as CVE-2025-67038, allows an unauthenticated attacker to inject arbitrary OS commands with root privileges.

What is the potential impact of exploiting this vulnerability?

An attacker can gain full control of the device and potentially move laterally within the network, targeting other connected systems.

Why is this vulnerability significant to the industry?

The vulnerability poses a significant risk to industrial and OT environments due to serial-to-ethernet converters being communication choke points for these environments.

Critical Vulnerability in Lantronix EDS5000 Exposes Industrial Networks

Q: How many Lantronix devices are internet-exposed worldwide?

Thousands of internet-exposed Lantronix systems exist worldwide, with a majority located in the United States.

A recent alert from CISA highlights a vulnerability in Lantronix's serial-to-IP converter devices, allowing unauthenticated attackers to execute arbitrary OS commands with root privileges.

A recent cybersecurity alert from CISA highlights a critical vulnerability in Lantronix's EDS5000 serial-to-IP converter devices, which can be exploited to execute arbitrary OS commands with root privileges. The flaw, tracked as CVE-2025-67038, was disclosed by Forescout in April and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.

What Happened

The vulnerability affects Lantronix EDS5000 serial-to-IP device servers, which enable organizations to remotely connect to and manage their serial devices. An unauthenticated attacker can inject arbitrary OS commands into a username parameter, leading to the execution of those commands with root privileges. This allows for full control of the device and potentially enables lateral movement within the network.

Cybersecurity firm Aviatrix has described a potential attack scenario involving CVE-2025-67038. Once an attacker exploits the vulnerability to execute code with root privileges, they can gain full control of the device. The compromised device serves as a foothold for the attacker to move laterally within the network, targeting other connected systems.

According to ZoomEye, thousands of internet-exposed Lantronix systems exist worldwide, with a majority located in the United States. However, it is unclear how many of these devices are vulnerable to attacks. Lantronix has not responded to SecurityWeek's request for comment regarding in-the-wild exploitation.

Background and Context

Serial-to-IP converters have been involved in several high-profile cyber-physical attack scenarios over the past decade. In 2015, Russian state-linked actors (Sandworm) attacked Ukrainian power infrastructure and Polish industrial entities using malicious firmware to "update" and ultimately "brick" serial-to-ethernet converters at victim sites.

The BRIDGE:BREAK vulnerabilities disclosed by Forescout in April affect widely deployed serial-to-IP converters manufactured by Lantronix and Silex Technology. The research identified approximately 20,000 affected devices reachable from the public internet across industrial, utility, transportation, and healthcare networks.

Why It Matters to the Industry

The vulnerability in Lantronix's EDS5000 serial-to-IP converter devices poses a significant risk to industrial and OT environments. Serial-to-ethernet converters are communication choke points for these environments, and exploitation can result in loss of control over downstream automation assets with physical consequences.

Operators of affected models should treat patching as an immediate-priority activity due to the high exposure counts, trivially exploitable pre-authentication flaws, and sensitive downstream populations these converters serve. The combination of these factors elevates the near-term risk of opportunistic scanning and mass exploitation once proof-of-concept code becomes public.

What Comes Next

CISA added CVE-2025-67038 to its KEV catalog on June 23, instructing federal agencies to address it by June 26. However, there do not appear to be any public reports describing the attacks exploiting the Lantronix product vulnerability. It's unclear if the attacks are aimed at industrial, healthcare, or other OT environments.

Operators of affected devices should prioritize patching and consider implementing compensating controls and contingency planning in the near term due to the high-availability requirements of industrial environments.

Key Facts

CVE-2025-67038 is a vulnerability in Lantronix's EDS5000 serial-to-IP converter devices that can be exploited to execute arbitrary OS commands with root privileges.
The flaw was disclosed by Forescout in April and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog.
Approximately 20,000 affected devices are reachable from the public internet across industrial, utility, transportation, and healthcare networks.
The vulnerability affects Lantronix EDS5000 serial-to-IP device servers, which enable organizations to remotely connect to and manage their serial devices.
CISA added CVE-2025-67038 to its KEV catalog on June 23, instructing federal agencies to address it by June 26.