CISA Adds Lantronix EDS5000 Code Injection Bug to Known Exploited Vulnerabilities List
CVE-2025-67038 scores a 9.8 CVSS and is already being exploited in the wild. Federal agencies have until June 26, 2026 to patch — a deadline that tells you nothing about how fast attackers are moving right now.

Active Exploitation Confirmed: Lantronix EDS5000 Serial-to-Ethernet Devices Under Attack
CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog this month, confirming active exploitation of a critical code injection flaw in Lantronix EDS5000 Series device servers. The vulnerability carries a CVSS score of 9.8 — as high as these ratings get before someone calls it theoretical.
The bug lives in the device's management interface. An unauthenticated attacker with network access to the affected unit can inject and execute arbitrary code. No credentials required. No prior foothold needed. Just network reachability and a working exploit.
What the EDS5000 Actually Does — and Why That Matters
Most cybersecurity news treats "network device compromised" as a generic IT headline. This one is different. The Lantronix EDS5000 is a serial-to-Ethernet gateway. It translates traffic between IP networks and legacy serial connections — the kind of connections that run programmable logic controllers, medical instruments, HVAC systems, and building-automation sensors.
Compromise an EDS5000 and you are not just on the box. You are standing directly in front of whatever industrial or operational technology asset it was bridging. That could be a PLC on a factory floor. It could be a controller managing physical access to a building. It could be monitoring equipment in a clinical environment.
That context changes the risk calculus completely. Code execution on an IT endpoint is serious. Code execution on a device that fronts OT infrastructure is a different conversation.
The "Properly Segmented" Problem
The 9.8 CVSS score assumes the management interface is reachable from the network without authentication — which is technically a reasonable assumption to challenge. If your EDS5000 units sit behind strict network segmentation, your exposure is lower.
The operative word is *if*. These devices are installed during building retrofits, manufacturing floor upgrades, and hospital infrastructure projects. They then sit, unpatched and effectively unmanaged, for years. The Verizon 2024 Data Breach Investigations Report found that exploitation of vulnerabilities as an initial access vector grew 180% year over year, with OT-adjacent devices representing a disproportionate share of targets that lack consistent patch cycles. The pattern with serial-to-IP gateways is exactly that: installed and forgotten.
CISA's catalog listing confirms exploitation but does not name a threat actor, publish indicators of compromise, or characterize whether the observed activity is opportunistic scanning or a targeted campaign. That ambiguity is not reassuring. Opportunistic scanning of a 9.8-rated, network-accessible, unauthenticated RCE bug still ends badly.
What Defenders Need to Do Right Now
Federal Civilian Executive Branch agencies are required under Binding Operational Directive 22-01 to remediate by June 26, 2026. For everyone else, that date is irrelevant — it is a compliance floor, not a reasonable patch timeline when exploitation is already confirmed.
Immediate priorities:
- Run an inventory across IT *and* OT asset systems for any Lantronix EDS5000 Series units. Facilities and operational technology teams frequently deploy these independently of IT visibility, meaning they may not appear in your standard CMDB.
- Pull management interfaces off any network segment reachable from the internet or from general corporate VLANs. There is no legitimate reason the management plane of a serial gateway should be exposed to flat networks.
- Apply Lantronix's fixed firmware once you have validated it against the vendor's official advisory. Do not rely on third-party patch notes.
- If immediate patching is not possible, apply access control lists to restrict management access to a dedicated jump host, enable full logging on all access attempts, and monitor for anomalous outbound connections from the device — EDS-class hardware should not be initiating much traffic of its own.
"The challenge with embedded device servers isn't the patching itself — it's that organizations often don't know they have them," said a senior OT security engineer at a critical infrastructure consultancy. "They show up in network scans labeled as 'unknown device' and stay that way for years."
Where the Control Failures Are
Two distinct failure categories drive incidents like this one, and both are visible here.
The first is asset visibility. You cannot patch what you cannot see. Serial-to-Ethernet gateways are OT boundary devices that frequently fall outside the scope of IT asset management programs. They do not run standard agents. They do not appear in endpoint detection consoles. They require active network scanning and, critically, communication between IT and OT or facilities teams who rarely share the same tooling or reporting chains. Organizations that implement security awareness training across both IT and OT personnel close that communication gap faster than those who treat security education as an IT-only function.
The second failure is patch hygiene for embedded systems. Enterprise patch management programs are often built around Windows endpoints and server operating systems. Firmware updates for embedded network devices sit outside those workflows entirely. The result: a device installed in 2017 is still running 2017 firmware in 2025, and nobody noticed until a CVE with a 9.8 score showed up on a federal watchlist. This is not a novel failure mode. It is a systemic one. Organizations that want to understand where their programs stand against published controls can review the NIST and compliance framework mappings at Train2Secure to identify where embedded-device patch management typically falls through.
The Broader Pattern
This is not the first time a serial-to-IP gateway has appeared in CISA's Known Exploited Vulnerabilities catalog. Legacy OT boundary devices are a recurring entry point precisely because they age in place while network architectures change around them. The segment that was isolated in 2016 may connect to a cloud-managed SD-WAN deployment added in 2022. The device that was "air-gapped" may now have a path to the internet through a building automation system that was upgraded without a full security review.
Treat every Lantronix EDS5000 on your network as unmanaged and unpatched until you can prove otherwise. The patch timeline Lantronix provides should be your guide. The CISA deadline of June 2026 should not.
How This Kind of Incident Could Have Been Prevented
- Build asset inventory programs that include OT and facilities-managed devices — not just IT endpoints — so embedded hardware like serial gateways appears in your patch queue before a CVE forces the issue.
- Establish firmware patch workflows for embedded network devices that run parallel to, but separate from, your standard enterprise patch management program.
- Ensure IT, OT, and facilities staff share a common security baseline: many visibility failures in OT environments trace directly to siloed teams with no shared security training.
Train2Secure's security awareness programs are built to close exactly the human and process gaps that leave OT-adjacent devices exposed — start with a free trial to see how it maps to your environment.
Start free — no card requiredSources & further reading
Frequently asked questions
What is CVE-2025-67038 and which devices does it affect?
CVE-2025-67038 is a code injection vulnerability in the Lantronix EDS5000 Series device servers — hardware that bridges IP networks with legacy serial connections in industrial, medical, and building-automation environments. It carries a CVSS score of 9.8 and allows unauthenticated remote code execution when the management interface is network-reachable.
Does the June 26, 2026 CISA deadline apply to private-sector organizations?
No. The remediation deadline under BOD 22-01 applies only to Federal Civilian Executive Branch agencies. Private-sector and critical infrastructure operators should treat active exploitation in the KEV catalog as a prompt to patch immediately, not a deadline to meet months from now.
Why are Lantronix EDS5000 devices particularly risky to leave unpatched?
These devices sit between IP networks and operational technology such as PLCs, sensors, and building controllers. A successful exploit doesn't just compromise the gateway itself — it puts an attacker adjacent to whatever industrial or physical system the gateway was serving, significantly expanding the blast radius.
What should I do if I can't patch the EDS5000 immediately?
Restrict management interface access to a dedicated jump host using ACLs, move the device off any network segment reachable from the internet or general corporate VLANs, enable full access logging, and monitor for unexpected outbound connections from the device. Apply the vendor's firmware patch as soon as your change control process allows.



