Emerging Threats

CISA Warns of Active Exploitation of Lantronix EDS5000 Flaw

Analyst 207||Source: TheHackerNews
CISA Warns of Active Exploitation of Lantronix EDS5000 Flaw

"The HTTP RPC module executes a shell command to write logs when the user's authentication fails," according to the vulnerability's description on CVE.org.

CVE-2025-67038: a critical code-injection flaw in Lantronix EDS5000

CVE-2025-67038 (CVSS score: 9.8) is a code-injection vulnerability that affects Lantronix EDS5000 Series devices. The flaw stems from how the device's HTTP RPC module handles failed authentication: the username is concatenated directly into a shell command with no input sanitization. As CVE.org describes it, "The username is directly concatenated with the command without any sanitization. This allows attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges." That combination of unauthenticated input and root execution is why CISA classifies the issue as critical.

CISA advisory and the June 26, 2026 remediation deadline for FCEB agencies

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned that CVE-2025-67038 is being actively exploited and urged Federal Civilian Executive Branch (FCEB) agencies to apply available fixes by June 26, 2026. The advisory explicitly states that the vulnerability is under active exploitation, but notes there are currently no details on how the vulnerability is being exploited, or who is making the effort.

BRIDGE:BREAK disclosure and the broader serial-to‑IP converter context

Forescout Research Vedere Labs disclosed the vulnerability in April 2026 as part of a broader set of flaws codenamed BRIDGE:BREAK. That research identified issues affecting serial-to-IP converters from Lantronix and Silex. The inclusion of CVE-2025-67038 in BRIDGE:BREAK ties this critical Lantronix flaw to a set of product classes—serial-to-IP converters—that bridge operational-technology and information-technology networks, increasing the potential impact of successful exploitation.

Concurrent active exploitation of Ubiquiti UniFi OS and technical chain details

CISA's advisory on active exploitation arrived days after Defused Cyber reported in-the-wild abuse of a three‑CVE chain in Ubiquiti UniFi OS. Those defects are:

  • CVE-2026-34908 — an improper input validation vulnerability that could allow a malicious actor with access to the network to conduct command injection.
  • CVE-2026-34909 — a path traversal vulnerability that could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
  • CVE-2026-34910 — an improper access control vulnerability that could allow a malicious actor with access to the network to make unauthorized changes to the system.

Bishop Fox published a proof-of-concept earlier this month demonstrating a single-request chain that leverages those three shortcomings to obtain a reverse shell with full root privileges. Patches for the Ubiquiti flaws were released by Ubiquiti late last month. Belgium's Centre for Cybersecurity warned that "The vulnerabilities could allow remote attackers to make unauthorized system changes, access sensitive files, disclose information, or execute arbitrary commands on vulnerable systems, highly impacting the confidentiality, integrity, and availability of targeted devices," and added that "Given that UniFi OS devices are often centrally integrated into networks, successful compromise could enable lateral movement and broader network compromise."

What this means for FCEB agencies, security teams, and network operators

  • FCEB agencies: CISA has set a June 26, 2026 deadline to apply the fixes for CVE-2025-67038, making immediate patch validation and deployment the operational priority cited in the advisory.
  • Security teams and network operators: The combination of active exploitation, root‑privilege command execution, and central integration of devices like UniFi OS means teams must prioritize inventorying affected Lantronix and UniFi OS devices, apply vendor fixes, and monitor for signs of lateral movement.
  • Affected enterprises and procurement leaders: Because BRIDGE:BREAK targets serial-to-IP converters used to bridge networks, purchasers and asset owners should re-evaluate devices that provide out-of-band or serial bridging functions and confirm patches or mitigations are in place.

Two threads run through the advisory: multiple high-severity vulnerabilities are being exploited in the wild, and at least one enables arbitrary commands as root. CISA's deadline for FCEB agencies, the public disclosure timeline from Forescout Research Vedere Labs, and Bishop Fox's proof-of-concept for the UniFi chain all point to a narrow window for defenders to act. There are currently no details on the actors or the exploitation techniques in the wild for the Lantronix flaw, leaving agencies and operators to assume active exploitation until forensic evidence indicates otherwise.

Original story

Authentication BypassCritical InfrastructureEmerging ThreatsIndustrial Control SystemsRemote Code ExecutionZero-DayIot VulnerabilitiesCode InjectionLantronix EDS5000CVE-2025-67038
Related Intelligence

Continue Reading

Dimly lit office cubicle with scattered papers, open laptop, and concerned coworkers in the background.

Huntress Insider Leak Exposes Potential Security Breach

A shocking security breach at Huntress has come to light, with a former analyst claiming that a colleague may have compromised the company's integrity by passing sensitive law enforcement communications to a notorious cybercriminal. The explosive allegations have left many questions unanswered about the breach and its potential impact.

Analyst 207
Person looks concerned while checking phone in cluttered living room with open laptop and shopping boxes nearby.

Scammers Exploit Shop App to Fuel Callback Phishing Attacks

Beware of scammers exploiting the popular Shop app, with 50 million downloads, to trick you into callback phishing attacks with fake purchase receipts and phony support agents. They're impersonating big brands like Norton and Apple to steal your account credentials and sensitive info.

Analyst 207
A generic VPN gateway device sits on a rack in a brightly-lit data center.

Perimeter Devices Exposed as Vulnerability in Authentication Bypass Attacks

A recent emergency directive from CISA revealed a shocking vulnerability in Check Point Remote Access VPN, allowing attackers to bypass authentication and gain trusted user access since early May. This critical flaw, with a CVSS score of 9.3, enables remote attackers to establish a fully authenticated VPN session without a valid password, essentially turning a security gateway into an entry point for intruders.

Analyst 207
Young man with somber expression sits in federal courtroom surrounded by institutional architecture.

Minnesota Hacker 'Snoopy' Sentenced for DraftKings Breach Role

A 21-year-old Minnesota hacker known as "Snoopy" has been sentenced to 18 months in prison for his role in a massive credential stuffing attack that compromised nearly 60,000 DraftKings user accounts. He'll also serve three years of supervised release, pay over $1.3 million in restitution, and forfeit $463,000.

Analyst 207