CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog as of June 23, 2026. The vulnerability affects Lantronix EDS5000 devices and allows attackers to inject arbitrary operating system commands through the username parameter. Critically, injected commands execute with root privileges—the highest access level on Unix/Linux systems.
The Lantronix EDS5000 is a terminal server and device management platform commonly deployed in industrial control systems, data centers, and critical infrastructure environments where out-of-band management and serial console access are required. Root-level code execution on such devices represents significant risk: an attacker gaining this access could pivot to connected systems, alter configurations, disable monitoring, or maintain persistent backdoor access.
CISA's addition to the KEV catalog signals that this vulnerability is being actively exploited in the wild. The catalog documents vulnerabilities with confirmed public exploits and real-world abuse—meaning this is not theoretical risk. The severity rating listed as "low" may reflect CVSS scoring methodology, but should not be interpreted as low business or infrastructure impact. A code injection vulnerability with root execution on infrastructure management hardware warrants immediate attention regardless of CVSS label.
What to watch: Monitor your environment for Lantronix EDS5000 devices still running unpatched firmware. Check vendor security advisories for available patches and firmware updates. If these devices exist in your network or supply chain, prioritize patching timelines. Additionally, watch for lateral movement attempts or suspicious command execution on systems accessible from compromised terminal servers—these devices often have privileged network access that makes them attractive pivot points.
