CVE-2025-67038 Elastic Security · Elastic

Detect CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation in Elastic Security

Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where destination.port in (80, 443, 8080, 9999, 30718)
   and (
     url.path like~ "*/cgi-bin/*" or
     url.path like~ "*/admin/*" or
     url.path like~ "*/manage/*" or
     url.path like~ "*/config/*"
   )
   and (
     url.query like~ "*;*" or
     url.query like~ "*|*" or
     url.query like~ "*`*" or
     url.query like~ "*%3B*" or
     url.query like~ "*%7C*" or
     url.query like~ "*%60*" or
     url.full like~ "*../"
   )
  ]
  [network where destination.port in (80, 443, 8080, 9999, 30718)
   and event.action in ("connection_attempted", "connection_accepted")
  ]
critical severity medium confidence

EQL sequence query detecting CVE-2025-67038 exploitation attempts — correlates initial injection request to Lantronix EDS5000 management endpoints with subsequent network activity from the same source IP within a 5-minute window.

Data Sources

Elastic EndpointPacketbeatFilebeat (Apache/Nginx module)

Required Tables

logs-network.*logs-endpoint.events.network-*logs-*

False Positives & Tuning

  • Automated IT management tools making batch API calls with special characters
  • Security scanners running authorized assessments against EDS5000 fleet
  • Legitimate URL encoding in management console operations
  • DevOps pipelines that interact with device APIs using shell-like syntax

Other platforms for CVE-2025-67038

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-67038 GET-based OS command injection probe

    Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs

  2. Test 2CVE-2025-67038 URL-encoded command injection bypass attempt

    Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path

  3. Test 3CVE-2025-67038 POST-body code injection simulation

    Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled

  4. Test 4CVE-2025-67038 path traversal combined with injection

    Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Initial Access

Popular Detections