Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Lantronix EDS5000 allows remote code execution through username field
CVE-2025-67038
Summary
Lantronix's EDS5000 2.1.0.0R3 has a security flaw that allows hackers to execute commands on the device by manipulating the username field when authentication fails. This means an attacker could potentially take control of the device. To protect your device, apply the latest updates and ensure you're running the latest software version.
Original title
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the c...
Original description
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
Vulnerability type
CWE-94
Code Injection
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026