CVE-2025-67035
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
An OS command injection vulnerability was found in Lantronix EDS5000 version 2.1.0.0R3 affecting SSH Client and SSH Server pages. Missing input sanitization allows an attacker to inject arbitrary commands when deleting objects like server keys, users, and known hosts. Commands execute with root privileges.
Risk Assessment
An attacker can gain full remote control of the device, compromising network confidentiality, integrity, and availability, and potentially using the device as a pivot for further attacks.
Recommendation
Immediately update the Lantronix EDS5000 firmware to the latest patched version. Until then, restrict management interface access to trusted networks only.
Original NVD description (English source)
An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges.

