CVE-2025-67041
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk27th percentile - higher than 27% of all known CVEs
Summary
An issue was discovered in Lantronix EDS3000PS version 3.1.0.0R2 where the host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.
Risk Assessment
An attacker can remotely execute arbitrary commands with root privileges, leading to full device compromise and potential network security breach.
Recommendation
Immediately update the device firmware to the latest version that fixes this vulnerability and restrict management interface access to trusted networks only.
Original NVD description (English source)
An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.

