CVE Catalog

CVE-2025-67035

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.35%

27th percentile - higher than 27% of all known CVEs

Summary

An OS command injection vulnerability was found in Lantronix EDS5000 version 2.1.0.0R3 affecting SSH Client and SSH Server pages. Missing input sanitization allows an attacker to inject arbitrary commands when deleting objects like server keys, users, and known hosts. Commands execute with root privileges.

Risk Assessment

An attacker can gain full remote control of the device, compromising network confidentiality, integrity, and availability, and potentially using the device as a pivot for further attacks.

Recommendation

Immediately update the Lantronix EDS5000 firmware to the latest patched version. Until then, restrict management interface access to trusted networks only.

Original NVD description (English source)

An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS