An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component
The vulnerability concerns the ltrx_evo component embedded in the Lantronix EDS3000PS device firmware. The vulnerability includes command injection (CWE-78), authentication mechanism bypass (CWE-288), and improper password verification (CWE-620). An attacker without network authentication can send a specially crafted request that leads to execution of arbitrary system commands on the device.
An attacker can gain full control over the device through remote code execution (RCE) and steal sensitive information stored or processed by the device. The consequences include breach of confidentiality, integrity, and system availability.
Apply patches available from the manufacturer according to references. It is recommended to follow the CISA ICS Advisory message ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02 for detailed update instructions. Until the patch is implemented, restrict network access to Lantronix EDS3000PS devices using firewall or network segmentation.
Lantronix EDS3000PS firmware version 3.1.0.0R2 (products: EDS3016PS1NS, EDS3008PS1NS)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HLantronix Eds3008ps1ns
HWLantronixwszystkie wersjeLantronix Eds3008ps1ns Firmware
OSLantronix3.1.0.0r2Lantronix Eds3016ps1ns
HWLantronixwszystkie wersjeLantronix Eds3016ps1ns Firmware
OSLantronix3.1.0.0r2
Related vulnerabilities
Pominięcie uwierzytelnienia w urządzeniach Lantronix EDS3000PS
Command injection w parametrze host klienta TFTP urządzeń Lantronix EDS3000PS
Command injection w Lantronix EDS5000 – wykonanie poleceń jako root
OS command injection w Lantronix EDS5000 — wykonanie kodu jako root
An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantr...