Critical Lantronix EDS5000 RCE Exploited in the Wild: CISA Orders Federal Agency Remediation
CISA has confirmed active exploitation of CVE-2025-67038, a code injection vulnerability in Lantronix EDS5000 Series devices with a CVSS score of 9.8 that enables remote code execution. Federal agencies are required to patch by June 26, 2026.
CVE References
Affected
Lantronix EDS5000 Series devices are terminal servers and out-of-band management appliances widely deployed in federal infrastructure, data centres, and critical systems where they provide console access and serial device management. The code injection vulnerability (CVE-2025-67038) carries a CVSS v3.1 base score of 9.8, indicating unauthenticated network-adjacent attack surface with minimal complexity required to achieve remote code execution. Active exploitation in the wild has prompted CISA to issue a mandatory remediation deadline for Federal Civilian Executive Branch agencies, signalling this is not a theoretical risk but an ongoing compromise vector.
The severity of this flaw stems from the trusted position EDS5000 devices occupy in infrastructure stacks. These appliances typically sit on management networks with elevated access to critical systems, meaning successful compromise provides attackers a foothold for lateral movement, persistence, and potential supply-chain propagation across interconnected assets. The code injection pathway suggests attackers can feed malicious input through normal device interfaces, likely with minimal authentication barriers, converting the device itself into a beachhead.
The FCEB remediation deadline of June 26, 2026 is a strong indicator that patch availability exists but rollout is logistically complex. Federal agencies managing hundreds or thousands of these appliances in geographically dispersed environments face operational challenges in validating and deploying updates without service disruption. The compressed timeline also suggests CISA has intelligence that current exploitation is either widespread or targeting high-value assets, warranting accelerated action.
Defenders should immediately inventory all EDS5000 devices on management networks, validate current firmware versions against patched releases, and prioritise patching in environments with sensitive downstream systems. Temporary mitigations should include network segmentation restricting device access, enhanced monitoring for suspicious command execution on management interfaces, and increased logging of console traffic. Organisations unable to patch by the federal deadline should escalate device replacement planning and implement compensating controls such as out-of-band access restrictions and authentication hardening.
This incident reinforces that industrial and legacy device management infrastructure remains a critical vulnerability surface often overlooked by security teams focused on application-layer risks. Vendors shipping these appliances typically operate on longer release cycles, and organisations delay patching due to perceived stability concerns. Active exploitation of a 9.8 RCE undermines both assumptions, making this a forcing function for reassessing how critical organisations prioritise access-plane infrastructure security.
Sources