CISA Known Exploited Vulnerability (KEV): Added to the CISA KEV Catalog on June 23, 2026. Action due June 26, 2026. BOD 26-04 3-day patch mandate applies.

CVE: CVE-2025-67038 | CVSS 3.1: Awaiting NVD analysis | CWE: Code Injection | Vendor: Lantronix | Product: EDS5000 Device Server

---

What Is the Vulnerability

The Lantronix EDS5000 Device Server contains a code injection vulnerability that allows network-based attackers to compromise the device. The EDS5000 is an industrial-grade device server that bridges legacy serial equipment—such as PLCs, RTUs, sensors, and other operational technology (OT) assets—to IP networks. This places it directly in the critical communication path between industrial control systems (ICS) and enterprise IT environments.

A code injection flaw means an attacker can supply malicious input that the EDS5000 interprets and executes as code. Successful exploitation grants the attacker control over the device itself, enabling them to intercept or manipulate serial data streams, pivot deeper into connected OT networks, and bridge the air gap between enterprise and industrial segments. The attack is network-based, requiring no physical access to the device.

Given the EDS5000’s role as a protocol bridge, a compromised device server is not just a foothold—it is a privileged vantage point for monitoring, manipulating, or disrupting industrial processes. This makes CVE-2025-67038 a high-impact vulnerability for any organization running ICS/OT infrastructure, including manufacturing, energy, water utilities, transportation, and building automation.

---

Versions Affected

• Lantronix EDS5000 Device Server — firmware versions prior to the patched release from Lantronix
• Exact affected version ranges to be confirmed in the Lantronix security advisory

---

Exploited?

YES — Actively exploited in the wild. CISA added CVE-2025-67038 to the KEV Catalog on June 23, 2026, confirming that threat actors are actively exploiting this code injection vulnerability against internet-facing and network-accessible EDS5000 devices. The EDS5000’s position as a serial-to-IP bridge inside OT/ICS environments makes it a particularly dangerous target: exploitation can expose legacy industrial equipment—never designed for network security—to remote attackers. Organizations with EDS5000 devices bridging serial OT assets to IP networks should treat this as an active incident and act immediately.

---

Fix

Lantronix has released a firmware update that addresses the code injection vulnerability in the EDS5000 Device Server. All affected devices must be patched immediately—CISA mandates action by June 26, 2026, under BOD 26-04.

• Apply the latest firmware update from the Lantronix security advisory to all EDS5000 devices
• If patching is not immediately possible, isolate EDS5000 devices from untrusted networks—place them on a dedicated, firewalled management segment with no internet exposure
• Verify that the EDS5000 administrative interface is not reachable from the internet; use Shodan or similar tools to audit external exposure
• After patching, validate firmware version and review device logs for signs of prior compromise

---

Recommendations

• Patch all Lantronix EDS5000 devices to the latest firmware immediately—no later than June 26, 2026 (CISA 3-day mandate)
• Remove any internet-facing EDS5000 administrative interfaces; these devices should never be exposed to the public internet
• Segment OT device servers onto isolated VLANs with strict access control lists (ACLs) between IT and OT zones
• Conduct a full compromise assessment: examine EDS5000 configurations, connected serial devices, and network traffic patterns for anomalies
• Inventory all serial-to-IP bridges in your OT environment to identify any additional unpatched Lantronix or similar devices
• Implement network monitoring for unusual traffic to and from device servers, particularly unexpected outbound connections
• Review the CISA KEV Catalog regularly for new additions affecting ICS/OT assets

---

References

• CISA Known Exploited Vulnerabilities Catalog
• Lantronix Security Advisory (EDS5000)
• NVD — CVE-2025-67038

This is a CISA Known Exploited Vulnerability (KEV) advisory. KEV status is indicated in the title, opening callout, and Exploited section per editorial policy. Part of the Vulnerability Intelligence series on threat-modeling.com.