Detect CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation in Google Chronicle
Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2025_67038_lantronix_eds5000_injection {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2025-67038 code injection exploitation against Lantronix EDS5000 series"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://nvd.nist.gov/vuln/detail/CVE-2025-67038"
created = "2026-06-23"
events:
$req.metadata.event_type = "NETWORK_HTTP"
$req.target.port in (80, 443, 8080, 9999, 30718)
(
re.regex($req.network.http.request_url, `(?i)/(cgi-bin|admin|manage|config)/`)
)
(
re.regex($req.network.http.request_url, `;(ls|id|cat|pwd|whoami|wget|curl|nc |sh|bash)`) or
re.regex($req.network.http.request_url, `\|(ls|id|sh|bash|python|perl)`) or
re.regex($req.network.http.request_url, `(%3B|%7C|%60|%24%28)`) or
re.regex($req.network.http.request_url, `\.\./`)
)
condition:
$req
}Chronicle YARA-L rule detecting CVE-2025-67038 exploitation attempts against Lantronix EDS5000 management interfaces. Identifies command injection payloads in HTTP request URLs targeting management paths.
Data Sources
Required Tables
False Positives & Tuning
- Authorized penetration testing against EDS5000 infrastructure
- Legitimate administrative scripts using special characters in management URLs
- Security scanning tools performing compliance checks
- Encoded characters in valid configuration management API calls
Other platforms for CVE-2025-67038
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-67038 GET-based OS command injection probe
Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs
- Test 2CVE-2025-67038 URL-encoded command injection bypass attempt
Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path
- Test 3CVE-2025-67038 POST-body code injection simulation
Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled
- Test 4CVE-2025-67038 path traversal combined with injection
Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port
References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2025-67038
- https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
Unlock Pro Content
Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.