An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

No data.

No data.

No data.

No data.

References
Link Providers
http://eds5000.com cve-icon cve-icon
http://lantronix.com cve-icon cve-icon
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02 cve-icon cve-icon
History

Wed, 11 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-11T16:12:30.541Z

Reserved: 2025-12-08T00:00:00.000Z

Link: CVE-2025-67038

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-11T17:16:52.010

Modified: 2026-03-11T17:16:52.010

Link: CVE-2025-67038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.