CVE-2025-67041

An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://eds3000ps.com	Not Applicable
http://lantronix.com	Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

AND

cpe:2.3:o:lantronix:eds3016ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*

cpe:2.3:h:lantronix:eds3016ps1ns:-:*:*:*:*:*:*:*

Configuration 2 (hide)

AND

cpe:2.3:o:lantronix:eds3008ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*

cpe:2.3:h:lantronix:eds3008ps1ns:-:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 17:16

Updated : 2026-03-19 20:09

NVD link : CVE-2025-67041

Mitre link : CVE-2025-67041

CVE.ORG link : CVE-2025-67041

JSON object : View

Products Affected

lantronix

eds3016ps1ns_firmware
eds3008ps1ns_firmware
eds3008ps1ns
eds3016ps1ns

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-620

Unverified Password Change

{"id": "CVE-2025-67041", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-11T17:16:52.243", "references": [{"url": "http://eds3000ps.com", "tags": ["Not Applicable"], "source": "cve@mitre.org"}, {"url": "http://lantronix.com", "tags": ["Product"], "source": "cve@mitre.org"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02", "tags": ["Third Party Advisory", "US Government Resource"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-620"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Lantronix EDS3000PS 3.1.0.0R2. El par\u00e1metro host del cliente TFTP en la p\u00e1gina del navegador de archivos no se sanea correctamente. Esto puede explotarse para escapar del comando original y ejecutar uno arbitrario con privilegios de root."}], "lastModified": "2026-03-19T20:09:32.663", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:lantronix:eds3016ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7E17D9A3-EC74-42A2-B843-A877EF4D5AF5"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lantronix:eds3016ps1ns:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "8AA79DF0-DBD7-46EA-AFD1-62C0A570DBBF"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:lantronix:eds3008ps1ns_firmware:3.1.0.0:r2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F4140D69-4C70-4C1B-B533-578824E0081F"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:lantronix:eds3008ps1ns:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "B1227ACA-94C1-4532-84AD-0F5495CCFE3F"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "cve@mitre.org"}