Detect CVE-2025-67038 Lantronix EDS5000 Code Injection Exploitation in Splunk
Detects exploitation attempts targeting CVE-2025-67038, a code injection vulnerability (CWE-78/CWE-94) in Lantronix EDS5000 series device servers. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog and allows attackers to inject OS commands or code through the device management interface. The EDS5000 series includes EDS5008, EDS5016, and EDS5032 models commonly deployed as serial-to-network device servers in industrial and enterprise environments.
MITRE ATT&CK
SPL Detection Query
index=* (sourcetype="pan:traffic" OR sourcetype="cisco:asa" OR sourcetype="juniper:junos:firewall" OR sourcetype=access_combined OR sourcetype=httpevent)
| eval dest_port=coalesce(dest_port, dpt)
| where dest_port IN (80, 443, 8080, 9999, 30718)
| eval uri=coalesce(uri, request, cs-uri-stem)
| eval query_string=coalesce(uri_query, cs-uri-query, qs)
| eval full_request=uri."."query_string
| where match(full_request, "(/cgi-bin/|/admin/|/manage/|/config/)")
OR match(full_request, "(;ls|;id|;cat|;pwd|;whoami|;wget|;curl|;nc |\|sh|\|bash)")
OR match(full_request, "(%3B|%7C|%60|%24%28)")
OR match(full_request, "(\.\./|\.\.[/\\\\])")
| eval src_ip=coalesce(src_ip, src, c-ip)
| eval dest_ip=coalesce(dest_ip, dest, s-ip)
| eval risk_score=case(
match(full_request, "(;id|;ls|\|sh|\|bash)"), 90,
match(full_request, "(%3B|%7C|%60)"), 80,
match(full_request, "(\.\./)"), 70,
true(), 50
)
| where risk_score >= 50
| stats count, earliest(_time) as first_seen, latest(_time) as last_seen, values(full_request) as requests, max(risk_score) as max_risk by src_ip, dest_ip, dest_port
| where count >= 1
| sort - max_risk, - countDetects potential exploitation of CVE-2025-67038 by analyzing web access logs and firewall logs for requests to Lantronix EDS5000 management ports containing command injection payloads.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Authorized penetration testing or vulnerability scanning activities
- Legitimate shell metacharacters used in valid device configuration parameters
- URL-encoded characters in normal administrative operations
- Automated monitoring scripts that interact with device management APIs
Other platforms for CVE-2025-67038
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2025-67038 GET-based OS command injection probe
Expected signal: HTTP request to port 80 with URI containing '/cgi-bin/config.cgi' and query string containing ';id' should appear in firewall, proxy, or web server logs
- Test 2CVE-2025-67038 URL-encoded command injection bypass attempt
Expected signal: HTTP GET request to port 80 containing '%3B' in the query string targeting an admin management path
- Test 3CVE-2025-67038 POST-body code injection simulation
Expected signal: HTTP POST request to port 80 targeting '/manage/apply.cgi' with POST body containing ';wget' command injection — captured in proxy or WAF logs if POST body inspection is enabled
- Test 4CVE-2025-67038 path traversal combined with injection
Expected signal: HTTP GET request containing '../' path traversal sequences combined with 'cmd=id' injection parameter targeting EDS5000 management port
References (4)
- https://nvd.nist.gov/vuln/detail/CVE-2025-67038
- https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032
- https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk
- https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk
Unlock Pro Content
Get the full detection package for CVE-2025-67038 including response playbook, investigation guide, and atomic red team tests.