If you have any LuCI-based #Lantronix Serial-to-Ethernet device exposed on the internet, then you may want to kickoff your incident response plan.

My suspicion is that the unauthenticated Remote Code Execution vulnerability CVE-2025-67038 affects a lot more device types than just the EDS5000 that is mentioned in the advisory.

The vulnerable code path is in a modified OpenWRT LuCI RPC module that puts a user-controlled variable inside a Lua `os.execute` call. This vulnerable code is contained in a lot of device firmware versions released in or after 2023. Unfortunately, I do not have the devices to actually test exploitability. My analysis is based purely on patch diffing and grepping publicly released firmware versions. The incomplete list of device types that contain the vulnerable code: EDS5000, G520, G526, G526RP, G527, G528, X300, X300-WiFi, X303, X304. I also suspect E210 is on the incomplete list of vulnerable devices.

Back in April this vulnerability was published by Forescout as part of their BRIDGE:BREAK report on Serial-to-Ethernet adapters. Two days ago this vulnerability was added to the CISA KEV Catalog. Yesterday Forescout published a blogpost they first observed exploitation attempts on the 5th of April 2026. Attacks are attributed to a new cluster Chaya_006. It is unclear if Lantronix took the effort to check if any of their other devices are vulnerable given that they contain the same RPC module.

You want to look for POST requests to `/cgi-bin/luci/rpc/auth` in your logs. Forescout has a number 3 octet IP addresses as Indicator of Compromise here: https://www.forescout.com/blog/analyzing-active-exploitation-of-lantronix-and-openwrt-luci/ . The running theory is that these are supposed to be /24 CIDR ranges.

@Secure_ICS_OT
@cisacyber

#vulnerability #cybersecurity #ics #CVE202567038

CISA Warns of Active Exploitation of Lantronix EDS5000 Flaw

A critical code-injection flaw, CVE-2025-67038, has been discovered in Lantronix EDS5000 Series devices, allowing attackers to inject arbitrary OS commands with root privileges due to a lack of input sanitization in the HTTP RPC module. This vulnerability has a CVSS score of 9.8, indicating a high severity level.

https://osintsights.com/cisa-warns-of-active-exploitation-of-lantronix-eds5000-flaw?utm_source=mastodon&utm_medium=social

#LantronixEds5000 #Cve202567038 #CodeInjection #IotVulnerabilities #EmergingThreats

🚨 [CISA-2026:0623] CISA Adds 4 Known Exploited Vulnerabilities to Catalog (https://secdb.nttzen.cloud/security-advisory/detail/CISA-2026:0623)

CISA has added 4 new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise.

⚠️ CVE-2025-67038 (https://secdb.nttzen.cloud/cve/detail/CVE-2025-67038)
- Name: Lantronix EDS5000 Code Injection Vulnerability
- Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Lantronix
- Product: EDS5000
- Notes: https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/2538438657/Latest+Firmware+for+the+EDS5000+series+EDS5008+EDS5016+EDS5032 ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2025-67038

⚠️ CVE-2026-34908 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-34908)
- Name: Ubiquiti UniFi OS Improper Access Control Vulnerability
- Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Ubiquiti
- Product: UniFi OS
- Notes: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-34908

⚠️ CVE-2026-34909 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-34909)
- Name: Ubiquiti UniFi OS Path Traversal Vulnerability
- Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Ubiquiti
- Product: UniFi OS
- Notes: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-34909

⚠️ CVE-2026-34910 (https://secdb.nttzen.cloud/cve/detail/CVE-2026-34910)
- Name: Ubiquiti UniFi OS Improper Input Validation Vulnerability
- Action: Apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk (see URL in Notes) guidance and CISA’s “Forensics Triage Requirements” (see URL in Notes). Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines.
- Known To Be Used in Ransomware Campaigns? Unknown
- Vendor: Ubiquiti
- Product: UniFi OS
- Notes: https://community.ui.com/releases/Security-Advisory-Bulletin-064-064/84811c09-4cf4-42ab-bd61-cc994445963b ; BOD 26-04: https://www.cisa.gov/news-events/directives/bod-26-04-prioritizing-security-updates-based-risk ; Forensics Triage Requirements: https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk ; https://nvd.nist.gov/vuln/detail/CVE-2026-34910

#ZEN #SecDB #InfoSec #CVE #CISA_KEV #cisa_20260623 #cisa20260623 #cve_2025_67038 #cve_2026_34908 #cve_2026_34909 #cve_2026_34910 #cve202567038 #cve202634908 #cve202634909 #cve202634910