The US Cybersecurity and Infrastructure Security Agency has confirmed that a critical flaw in Lantronix EDS5000 Series device servers is being actively exploited in the wild, and it gave Federal Civilian Executive Branch (FCEB) agencies until June 26, 2026 to remediate. The bug, tracked as CVE-2025-67038 and rated CVSS 9.8, was one of four vulnerabilities CISA added to its Known Exploited Vulnerabilities (KEV) catalog on June 23, alongside flaws in Ubiquiti UniFi OS. The message to defenders is blunt: a small serial-to-Ethernet gateway that almost nobody patches on schedule is now a confirmed entry point for attackers, and the clock has already run out.

What the Flaw Actually Does

The Lantronix EDS5000 is a device server, also called a serial-to-Ethernet gateway. Its job is to take a legacy device that speaks RS-232 or RS-485 over a serial cable and put it on an IP network. That makes it deeply embedded in industrial, OT, and critical-infrastructure environments: it sits in front of PLCs, building-management controllers, medical equipment, point-of-sale terminals, and a long tail of machinery that was never designed to touch a network at all.

CVE-2025-67038 is a code injection vulnerability in the device’s HTTP RPC module. When a user fails authentication, the module runs a shell command to write a log entry. The problem is that the supplied username is concatenated directly into that shell command with no sanitization. An attacker can therefore stuff arbitrary operating-system commands into the username field of a failed login attempt, and the gateway dutifully executes them. Those commands run with root privileges.

Read that sequence again, because it is the worst-case version of an edge-device bug. No valid credentials are required: the injection happens on the failed-login path itself. The attack surface is the web interface. And the payload runs as root. There is effectively no privilege boundary left to cross once the request lands.

Why an Internet-Exposed Serial Gateway Is So Dangerous

A device server is a bridge by definition, and that is exactly what makes a compromise of one so valuable. Pop the EDS5000 and you do not just own a box on the network; you own the translation layer between the IP world and the physical equipment on the other end of the serial line. From a foothold with root on the gateway, an attacker can read and manipulate the serial traffic, pivot deeper into the OT segment, or simply use the device as a quiet, persistent beachhead inside a network that has very little monitoring at the edge.

These appliances are also chronically forgotten. They get installed once, wired to a controller, and left alone for years. Many are reachable from the internet either by deliberate remote-access configuration or by accident, and a quick search of internet-exposure data routinely turns up thousands of Lantronix devices answering on their web ports. Combine “internet-reachable,” “rarely patched,” and “unauthenticated root code execution,” and you have precisely the profile attackers hunt for.

This is the same dynamic we have covered repeatedly in 2026. Edge and network appliances are being weaponized faster than ever, from the Qilin campaign abusing a Check Point VPN zero-day that triggered a CISA emergency directive to the mass exposure documented in the FortiBleed leak of credentials from roughly 73,000 Fortinet firewalls. Perimeter gear is no longer the thing that protects the network; it is increasingly the thing that gets attacked first.

How the KEV Catalog and BOD 22-01 Work

The June 26 deadline comes from Binding Operational Directive (BOD) 22-01, the rule that created CISA’s Known Exploited Vulnerabilities catalog. A vulnerability earns a place in the KEV only when CISA has reliable evidence that it is being exploited in the wild, which is what separates it from the thousands of theoretical CVEs published every year. Once a flaw lands in the catalog, FCEB agencies are legally required to remediate it within a set window, and CISA assigns a specific due date for each entry.

The directive technically binds only federal civilian agencies, but the KEV has become the de facto patch-priority list for the entire industry. When a CVE appears there, it carries a simple meaning that applies to everyone: this is not a maybe, attackers are using it right now. Adding CVE-2025-67038 with a three-day remediation window signals that CISA considers the exploitation real and the exposure severe.

What To Do Now

Lantronix has shipped a fix in EDS5000 firmware version 2.2.0.0R1. Because exploitation is already active, this should not wait for a normal maintenance window.

  • Patch immediately. Upgrade every EDS5000 Series device to firmware 2.2.0.0R1 or later. This is the only complete fix.
  • Get them off the internet. No serial gateway should be directly reachable from the public internet. Put management interfaces behind a VPN or jump host and restrict access to known administrative IPs.
  • Hunt before you assume you are clean. The deadline is the patch date, not the compromise date. Review web and authentication logs on these devices for anomalous failed-login activity and malformed usernames, and inspect the appliance for unexpected processes or persistence given the root-level access this bug grants.
  • Segment the OT side. Ensure the equipment behind the gateway is isolated so that a compromised device server cannot become a free pass into the wider control network.
  • Inventory the forgotten boxes. Most organizations do not have a clean list of their Lantronix footprint. Find every unit, including the ones a contractor installed years ago, and bring them into your patch program.

Edge devices like the EDS5000 rarely make headlines until they are already being exploited, which is exactly the pattern playing out across 2026 with fast-moving appliance zero-days like the actively exploited Chrome V8 flaw CVE-2026-11645. The lesson for defenders is to treat every internet-facing serial gateway, VPN concentrator, and firewall as a priority target, not as set-and-forget infrastructure. The attackers already do.

Sources