CVE-2025-67038 – Lantronix EDS5000 / UniFi OS Server
“When critical vulnerabilities are actively exploited, every unpatched system becomes a potential target.”
Security updates address four critical vulnerabilities affecting Lantronix EDS5000 and UniFi OS Server. CVE-2025-67038 has a CVSS score of 9.8, which is Critical severity. It allows command injection through the HTTP RPC authentication process, enabling arbitrary operating system commands to execute with root privileges. CVE-2026-34908 has a CVSS score of 10.0, which is Critical severity and addresses an improper access control vulnerability that could allow unauthorized changes to UniFi OS systems. CVE-2026-34909 has a CVSS score of 10.0, which is Critical severity and addresses a path traversal vulnerability that could expose and manipulate sensitive system files. CVE-2026-34910 has a CVSS score of 10.0, which is Critical severity and addresses an improper input validation vulnerability that can result in command injection.
These vulnerabilities are reported as being under active exploitation, significantly increasing the operational risk to exposed devices. Organizations should prioritize deployment of the available security updates to reduce the risk of system compromise and unauthorized administrative access.
Key Details
- Affected Product
- Lantronix Eds5032 Firmware
- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- None
- CWE Classification
- CWE-94