CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation
Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Lantronix
- Product
- EDS5000
Timeline
- Disclosed
- June 23, 2026
References & Proof of Concept
- https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
- https://nvd.nist.gov/vuln/detail/CVE-2025-67038
What is CVE-2025-67038 CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation?
CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation (CVE-2025-67038) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Firewall, Common Security Log (CEF), Network Security Groups. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let eds5000_ips = dynamic([]);
let suspicious_patterns = dynamic(['cmd=', 'exec=', 'command=', ';ls', ';id', ';cat', '|sh', '|bash', '`', '%60', '%3B', '%7C', '../', '..%2F']);
let timeframe = 1h;
union DeviceNetworkEvents, CommonSecurityLog, AzureActivity
| where TimeGenerated >= ago(timeframe)
| extend DestPort = coalesce(DestinationPort, toint(DeviceCustomNumber1))
| where DestPort in (80, 443, 8080, 9999, 30718)
| extend RequestURL = coalesce(RequestURL, DestinationServiceName, tostring(AdditionalExtensions))
| where RequestURL has_any (suspicious_patterns)
or (RequestURL has_any ('/cgi-bin/', '/admin/', '/manage/') and RequestURL has_any ('=', '?'))
| extend SourceIP = coalesce(SourceIP, DeviceAddress, CallerIpAddress)
| extend DestIP = coalesce(DestinationIP, DeviceTranslatedAddress)
| project TimeGenerated, SourceIP, DestIP, DestPort, RequestURL, DeviceVendor, DeviceProduct, Activity
| extend RiskScore = case(
RequestURL has_any (';id', ';ls', '|sh', '|bash', '`'), 90,
RequestURL has_any ('%3B', '%7C', '%60'), 80,
RequestURL has_any ('../', '..%2F'), 70,
50
)
| where RiskScore >= 50
| order by RiskScore desc, TimeGenerated descDetects HTTP/HTTPS requests to Lantronix EDS5000 management interfaces containing OS command injection patterns consistent with CVE-2025-67038 exploitation. Monitors network events and firewall logs for requests to common EDS5000 management ports with suspicious parameter values.
Data Sources
Required Tables
False Positives
- Legitimate administrators running diagnostic commands via the web interface
- Vulnerability scanners performing authorized assessments against EDS5000 devices
- Application monitoring tools that make routine management API calls with encoded characters
- Firmware update processes that may use unusual URL parameters
Sigma rule & cross-platform mapping
The detection logic for CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation (CVE-2025-67038) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: network_connection
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-67038
References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2025-67038
- https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-67038 GET-based OS command injection probe
Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs
- Test 2CVE-2025-67038 URL-encoded command injection bypass attempt
Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path
- Test 3CVE-2025-67038 POST-body code injection simulation
Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled
- Test 4CVE-2025-67038 path traversal combined with injection
Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port
Unlock Pro Content
Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.