CRITICAL🇵🇱 Wersja polska

CVE-2025-67035

CVSS 9.8v3.1pub. 2026-03-11upd. 2026-07-05

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges.

🤖 AI Analysis
How it works

The vulnerability results from lack of input parameter sanitization on SSH Client and SSH Server configuration pages. An attacker can inject arbitrary system commands in deletion actions of various objects, such as server keys, users, and known hosts. Injected commands are executed by the device operating system with root privileges, providing full control over the device.

Impact

Attacker gains full control over the device — can read, modify and delete data, install malicious software, and use the device as an entry point for further network activities (lateral movement).

Mitigation & patch

Apply patches available from the manufacturer according to references (ICS-CERT advisory ICSA-26-069-02 and lantronix.com website). Until the update is applied, it is recommended to restrict network access to the device management interface only to trusted hosts.

Who is affected

Lantronix EDS5008, EDS5016, EDS5032 with firmware version 2.1.0.0R3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lantronix Eds5008

    HW
    Lantronix
    wszystkie wersje
  • Lantronix Eds5008 Firmware

    OS
    Lantronix
    2.1.0.0r3
  • Lantronix Eds5016

    HW
    Lantronix
    wszystkie wersje
  • Lantronix Eds5016 Firmware

    OS
    Lantronix
    2.1.0.0r3
  • Lantronix Eds5032

    HW
    Lantronix
    wszystkie wersje
  • Lantronix Eds5032 Firmware

    OS
    Lantronix
    2.1.0.0r3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-67038CRITICAL9.8⚠ KEVPL ✓ten sam produkt

Command injection w Lantronix EDS5000 – wykonanie poleceń jako root

CVE-2025-67034HIGH8.8ten sam produkt

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into ...

CVE-2025-67036HIGH8.8ten sam produkt

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by spe...

CVE-2025-67037HIGH8.8ten sam produkt

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into ...

CVE-2025-67039CRITICAL9.1PL ✓ten sam vendor

Pominięcie uwierzytelnienia w urządzeniach Lantronix EDS3000PS