Lantronix EDS5000 Flaw Exploited in Attacks — Patch Due Today

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that attackers are actively exploiting a critical command injection vulnerability in Lantronix EDS5000 serial-to-IP device servers. The flaw, tracked as CVE-2025-67038, carries a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands with root privileges.

Federal agencies have until today—June 26, 2026—to apply patches under CISA's Known Exploited Vulnerabilities directive.

What Makes This Vulnerability Dangerous

The EDS5000 series functions as a bridge between legacy serial equipment—PLCs, RTUs, sensors, and other operational technology assets—and modern IP networks. That positioning places the device directly in the communication path between industrial control systems and enterprise IT environments.

The vulnerability exists in the HTTP RPC authentication module. When a user submits a login request that fails, the system logs the attempt by concatenating the username directly into a shell command. No sanitization. No escaping. An attacker sends a crafted username containing shell metacharacters, and the device executes whatever commands they embed.

The attack targets the /cgi-bin/luci/rpc/auth endpoint. Because the service runs with root privileges, successful exploitation grants complete control over the device—firmware modification, traffic interception, lateral movement into connected industrial systems.

Exploitation Started Before Disclosure

Lantronix released firmware version 2.2.0.0R1 on February 20, 2026, patching the vulnerability. Threat actors likely reverse-engineered the fix to develop working exploits.

According to threat intelligence from Dataminr, exploitation activity was observed as early as April 5, 2026—two months before CISA added the flaw to its KEV catalog on June 23. That timeline suggests attackers had a significant head start on organizations that delayed patching.

Shadowserver Foundation tracking indicates approximately 31,850 internet-exposed EDS5000 devices are running vulnerable firmware. The actual attack surface may be larger when counting devices accessible through VPNs or internal networks.

Who Should Be Concerned

The EDS5000 is deployed across multiple critical infrastructure sectors:

• Energy: Substations and power generation facilities use serial-to-IP converters to modernize legacy SCADA equipment
• Water and wastewater: Treatment plants rely on these devices to connect older PLCs to monitoring systems
• Manufacturing: Production lines with aging serial equipment use the EDS5000 to enable remote management

This vulnerability compounds recent concerns about Iranian-linked threat actors targeting PLCs in U.S. critical infrastructure. The CyberAv3ngers group has demonstrated persistent interest in disrupting operational technology environments, and serial-to-IP converters represent an attractive pivot point.

Organizations running Fortinet and other perimeter devices should audit their OT network architecture—serial converters often fly under the radar during vulnerability assessments.

Recommended Actions

1. Apply the patch immediately

Update to EDS5000 firmware version 2.2.0.0R1 or later. Lantronix provides updates through their support portal.

2. Audit network exposure

Identify all internet-facing EDS5000 devices. These should never be directly accessible from the public internet. Use firewall rules to restrict access to authorized management stations.

3. Implement network segmentation

EDS5000 devices should reside in isolated OT network segments with strict access controls. Monitor traffic crossing the IT/OT boundary for anomalous patterns.

4. Change default credentials

The vulnerability allows unauthenticated exploitation, but defense-in-depth requires replacing any default passwords. Weak credentials provide attackers additional persistence options after initial compromise.

5. Review logs for indicators

Search HTTP access logs for malformed usernames targeting the /cgi-bin/luci/rpc/auth endpoint. Shell metacharacters like semicolons, pipes, or backticks in username fields indicate exploitation attempts.

The Bigger Picture

Serial-to-IP converters occupy an awkward position in many industrial environments. They're often treated as network infrastructure rather than computing assets, which means they escape routine vulnerability scanning and patch management cycles.

This incident reinforces why asset inventory remains foundational to OT security. You can't patch what you don't know exists. Organizations with industrial control system exposure should verify their asset management includes these translation devices—not just the PLCs and RTUs they connect.

The June 26 deadline applies to Federal Civilian Executive Branch agencies under Binding Operational Directive 26-04. Private sector organizations aren't legally bound by CISA timelines, but the active exploitation status makes immediate patching a business imperative regardless of regulatory requirements.