Lantronix EDS5000 Command Injection (CVE-2025-67038) Exploited in the Wild, Now in CISA KEV

A critical command-injection flaw in Lantronix EDS5000 serial-to-IP converters is being actively exploited, and CISA has added it to its Known Exploited Vulnerabilities catalog. The bug, CVE-2025-67038, carries a CVSS score of 9.8 and lets an unauthenticated attacker run arbitrary operating-system commands as root on the device. Forescout's Vedere Labs has confirmed in-the-wild exploitation, spotted in its own honeypot before any technical detail about the flaw was made public.

The vulnerability

CVE-2025-67038 is an unauthenticated OS command injection in the EDS5000 series, which - like many industrial routers and edge devices - is built on OpenWRT and its LuCI web interface. The vulnerability lives in LuCI's JSON-RPC authentication handler: after a failed login attempt, the submitted username is concatenated into a log string without sanitisation, and that string is then run by the system through os.execute. Because logging happens with root privileges, shell commands placed in the username field of the authentication request execute as root with no credentials required. The issue affects EDS5000 firmware up to and including 2.1.0.0R3, and the related BRIDGE:BREAK disclosure also covered the EDS3000PS series. No public proof-of-concept existed when the attacks began.

Exploited before the details were public

The timeline is the alarming part. Lantronix patched the flaw on 20 February 2026, it reached NVD on 11 March, and Forescout published its BRIDGE:BREAK research on 21 April. Yet Forescout's EDS5000 honeypot recorded exploitation of CVE-2025-67038 on 5 April - after the fix shipped, but well before any technical detail on how to attack it was public. That points to attackers reverse-engineering the Lantronix patch to build a working exploit. Forescout groups the activity into a cluster it calls Chaya_006: automated command-injection testing, device fingerprinting that referenced Lantronix EDS naming, then attempts to pull a second-stage payload from attacker-controlled infrastructure. The behaviour did not match a typical botnet or a broad vulnerability scanner, and the supporting infrastructure was registered across Asia (Hong Kong, Japan, South Korea, Taiwan, China).

A wider assault on OpenWRT LuCI

Running in parallel, Forescout logged more than 4,100 brute-force attempts against OpenWRT LuCI login credentials between 28 January and 6 June, hitting multiple device types rather than a single target. Using Shodan, the team found roughly 32,000 internet-exposed devices advertising OpenWRT LuCI, around 5,000 of them flagged as honeypots and likely many more that simply do not advertise it. LuCI has long been an exploited attack surface - CVE-2023-1389 in TP-Link Archer AX21 routers has sat in CISA KEV since 2023 and been abused by Mirai, Gafgyt, Moobot and others - and fresh LuCI command-injection bugs keep surfacing, including CVE-2026-2670 (Advantech WISE-6610) and CVE-2026-11449 (GL.iNet GL-MT3000), both with public PoCs.

Why it matters for OT

Serial-to-IP converters bridge legacy serial equipment to IP networks, and they sit in operational-technology, industrial-control and healthcare environments worldwide. In the original BRIDGE:BREAK research, Forescout showed that flaws in these devices could be used to manipulate sensor readings - masking dangerous physical conditions that would normally demand human intervention - or to disrupt a healthcare environment with malicious firmware. CISA records affected deployments across the Communications, Information Technology and Critical Manufacturing sectors. A root-level foothold on one of these converters is a pivot point into every network it bridges.

Action Items

• Patch now. Lantronix shipped fixed firmware on 20 February 2026: 2.2.0R1 for the EDS5000 series and 3.2.0.0R2 for the EDS3000 series. CISA's KEV entry sets a 26 June 2026 deadline for federal agencies; treat it as yours.
• Take the converters off the public internet - internet exposure is the precondition for this attack.
• Lock management interfaces down so only approved management workstations can reach the LuCI/web UI.
• Eliminate default and weak credentials; the parallel brute-force campaign is hitting LuCI logins directly.
• Segment converters onto dedicated VLANs that can talk only to the serial equipment they manage and the specific IP-side systems that need the data.
• Monitor for command-injection attempts and anomalous inbound or outbound traffic to serial-to-IP converters and other OpenWRT edge devices, and bring those OpenWRT devices up to current firmware too.

Indicators of Compromise

Command and control

• 154.219.113[.]56 (Hong Kong)
• 38.180.201[.]49 (Japan)

Scanners

• 38.207.136[.]2 (Japan)
• 160.238.37[.]28 (South Korea)
• 59.124.166[.]52 (Taiwan)
• 218.13.42[.]36 (China)