CVE-2025-67038 Microsoft Sentinel · KQL

Detect CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation in Microsoft Sentinel

Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.

MITRE ATT&CK

Tactic
Initial Access Execution Lateral Movement

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let eds5000_ips = dynamic([]);
let suspicious_patterns = dynamic(['cmd=', 'exec=', 'command=', ';ls', ';id', ';cat', '|sh', '|bash', '`', '%60', '%3B', '%7C', '../', '..%2F']);
let timeframe = 1h;
union DeviceNetworkEvents, CommonSecurityLog, AzureActivity
| where TimeGenerated >= ago(timeframe)
| extend DestPort = coalesce(DestinationPort, toint(DeviceCustomNumber1))
| where DestPort in (80, 443, 8080, 9999, 30718)
| extend RequestURL = coalesce(RequestURL, DestinationServiceName, tostring(AdditionalExtensions))
| where RequestURL has_any (suspicious_patterns)
  or (RequestURL has_any ('/cgi-bin/', '/admin/', '/manage/') and RequestURL has_any ('=', '?'))
| extend SourceIP = coalesce(SourceIP, DeviceAddress, CallerIpAddress)
| extend DestIP = coalesce(DestinationIP, DeviceTranslatedAddress)
| project TimeGenerated, SourceIP, DestIP, DestPort, RequestURL, DeviceVendor, DeviceProduct, Activity
| extend RiskScore = case(
    RequestURL has_any (';id', ';ls', '|sh', '|bash', '`'), 90,
    RequestURL has_any ('%3B', '%7C', '%60'), 80,
    RequestURL has_any ('../', '..%2F'), 70,
    50
  )
| where RiskScore >= 50
| order by RiskScore desc, TimeGenerated desc
critical severity medium confidence

Detects HTTP/HTTPS requests to Lantronix EDS5000 management interfaces containing OS command injection patterns consistent with CVE-2025-67038 exploitation. Monitors network events and firewall logs for requests to common EDS5000 management ports with suspicious parameter values.

Data Sources

Microsoft Defender for EndpointAzure FirewallCommon Security Log (CEF)Network Security Groups

Required Tables

DeviceNetworkEventsCommonSecurityLogAzureActivity

False Positives & Tuning

  • Legitimate administrators running diagnostic commands via the web interface
  • Vulnerability scanners performing authorized assessments against EDS5000 devices
  • Application monitoring tools that make routine management API calls with encoded characters
  • Firmware update processes that may use unusual URL parameters

Other platforms for CVE-2025-67038

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2025-67038 GET-based OS command injection probe

    Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs

  2. Test 2CVE-2025-67038 URL-encoded command injection bypass attempt

    Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path

  3. Test 3CVE-2025-67038 POST-body code injection simulation

    Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled

  4. Test 4CVE-2025-67038 path traversal combined with injection

    Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port

Last updated: 2026-06-24 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0008Lateral Movement

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1021Remote Services

Same Tactic: Initial Access

Popular Detections