{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67041", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-11T19:22:40.528Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-11T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-11T16:19:51.641Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://lantronix.com"}, {"url": "http://eds3000ps.com"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-78", "lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-288", "lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-620", "lang": "en", "description": "CWE-620 Unverified Password Change"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T19:21:51.947867Z", "id": "CVE-2025-67041", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:22:40.528Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-67041", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-11T19:22:40.528Z", "dateReserved": "2025-12-08T00:00:00.000Z", "datePublished": "2026-03-11T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-11T16:19:51.641Z"}, "descriptions": [{"lang": "en", "value": "An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://lantronix.com"}, {"url": "http://eds3000ps.com"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-67041", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T19:21:51.947867Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-620", "description": "CWE-620 Unverified Password Change"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T19:14:46.412Z"}}]}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lantronix:eds3016ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*", "matchCriteriaId": "7E17D9A3-EC74-42A2-B843-A877EF4D5AF5", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lantronix:eds3016ps1ns:-:*:*:*:*:*:*:*", "matchCriteriaId": "8AA79DF0-DBD7-46EA-AFD1-62C0A570DBBF", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:lantronix:eds3008ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*", "matchCriteriaId": "F4140D69-4C70-4C1B-B533-578824E0081F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:lantronix:eds3008ps1ns:-:*:*:*:*:*:*:*", "matchCriteriaId": "B1227ACA-94C1-4532-84AD-0F5495CCFE3F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Lantronix EDS3000PS 3.1.0.0R2. El par\u00e1metro host del cliente TFTP en la p\u00e1gina del navegador de archivos no se sanea correctamente. Esto puede explotarse para escapar del comando original y ejecutar uno arbitrario con privilegios de root."}], "id": "CVE-2025-67041", "lastModified": "2026-03-19T20:09:32.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-11T17:16:52.243", "references": [{"source": "cve@mitre.org", "tags": ["Not Applicable"], "url": "http://eds3000ps.com"}, {"source": "cve@mitre.org", "tags": ["Product"], "url": "http://lantronix.com"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-620"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "3.1.0.0R2"}}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "eds3000ps", "vendor": "lantronix"}], "analysis": {"en": {"generated_at": "2026-03-19T21:53:54.471771+00:00", "value": {"mitigation_remediation": ["Apply the latest firmware update that addresses the TFTP host parameter sanitization flaw; if no patch is available, obtain an updated firmware from Lantronix.", "If immediate firmware update is not possible, disable the TFTP client feature within the Filesystem Browser page or restrict its use to trusted IP addresses.", "Limit access to the web interface by implementing network segmentation or firewall rules to allow only trusted management hosts.", "Monitor device logs for anomalous command execution attempts and review any suspicious activity promptly."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems include Lantronix EDS3008PS1NS and EDS3016PS1NS devices running firmware version 3.1.0.0 R2. No other models or firmware are listed as impacted.", "description_and_impact": "An improper sanitization of the host parameter in the TFTP client on Lantronix EDS3000PS firmware 3.1.0.0 R2 allows an attacker to inject and execute arbitrary commands with root privileges, constituting a remote code execution vulnerability. The weakness is identified as CWE-288, CWE-620, and CWE-78. The potential impact is that a compromised device could deliver any payload to the host system, jeopardizing the confidentiality, integrity, and availability of the entire connected network.", "risk_and_exploitability": "The CVSS score of 9.8 indicates critical severity. The EPSS score of less than 1% suggests exploitable code is not widely observed today, and the vulnerability is not present in the CISA KEV catalog. It is likely exploitable remotely via the web interface\u2019s TFTP client; an attacker with network access to the device\u2019s web interface can supply a crafted host parameter to trigger the exploit. Because the vulnerability grants root privileges without additional prerequisites, the risk for an attacker with web access is high."}}}}, "created": "2026-03-12T10:06:34.651261+00:00", "title": "Lantronix EDS3000PS TFTP Command Injection Exploit", "updated": "2026-03-20T14:33:48.476183+00:00", "vendors": ["lantronix", "lantronix$PRODUCT$eds3000ps"]}