Detect CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation in IBM QRadar
Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.
MITRE ATT&CK
QRadar Detection Query
SELECT
sourceip,
destinationip,
destinationport,
URL,
username,
starttime,
eventcount,
QIDNAME(qid) as event_name
FROM events
WHERE
logsourcetypename(devicetype) IN ('Apache HTTP Server', 'Nginx', 'Juniper Networks Firewall', 'Palo Alto PA Series')
AND destinationport IN (80, 443, 8080, 9999, 30718)
AND (
URL ILIKE '%/cgi-bin/%'
OR URL ILIKE '%/admin/%'
OR URL ILIKE '%/manage/%'
OR URL ILIKE '%/config/%'
)
AND (
URL ILIKE '%;%'
OR URL ILIKE '%|%'
OR URL ILIKE '%`%'
OR URL ILIKE '%%3B%'
OR URL ILIKE '%%7C%'
OR URL ILIKE '%%60%'
OR URL ILIKE '%../%'
)
AND LOGSOURCENAME(logsourceid) NOT ILIKE '%scanner%'
AND LOGSOURCENAME(logsourceid) NOT ILIKE '%pentest%'
LAST 1 HOURS
ORDER BY starttime DESCQRadar AQL query for detecting HTTP requests to Lantronix EDS5000 management interfaces containing OS command injection sequences characteristic of CVE-2025-67038 exploitation. Excludes known scanner log sources.
Data Sources
Required Tables
False Positives & Tuning
- Authorized vulnerability scanners not excluded by log source name filters
- Administrators using shell expansion characters in device configuration
- Legitimate URL-encoded traffic from management applications
- Third-party integrations that use REST APIs with special character parameters
Other platforms for CVE-2025-67038
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-67038 GET-based OS command injection probe
Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs
- Test 2CVE-2025-67038 URL-encoded command injection bypass attempt
Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path
- Test 3CVE-2025-67038 POST-body code injection simulation
Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled
- Test 4CVE-2025-67038 path traversal combined with injection
Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port
References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2025-67038
- https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
Unlock Pro Content
Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.