CRITICAL🇵🇱 Wersja polska

CVE-2025-70082

CVSS 9.8v3.1pub. 2026-03-11upd. 2026-07-05

An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component

🤖 AI Analysis
How it works

The vulnerability concerns the ltrx_evo component embedded in the Lantronix EDS3000PS device firmware. The vulnerability includes command injection (CWE-78), authentication mechanism bypass (CWE-288), and improper password verification (CWE-620). An attacker without network authentication can send a specially crafted request that leads to execution of arbitrary system commands on the device.

Impact

An attacker can gain full control over the device through remote code execution (RCE) and steal sensitive information stored or processed by the device. The consequences include breach of confidentiality, integrity, and system availability.

Mitigation & patch

Apply patches available from the manufacturer according to references. It is recommended to follow the CISA ICS Advisory message ICSA-26-069-02 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02 for detailed update instructions. Until the patch is implemented, restrict network access to Lantronix EDS3000PS devices using firewall or network segmentation.

Who is affected

Lantronix EDS3000PS firmware version 3.1.0.0R2 (products: EDS3016PS1NS, EDS3008PS1NS)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lantronix Eds3008ps1ns

    HW
    Lantronix
    wszystkie wersje
  • Lantronix Eds3008ps1ns Firmware

    OS
    Lantronix
    3.1.0.0r2
  • Lantronix Eds3016ps1ns

    HW
    Lantronix
    wszystkie wersje
  • Lantronix Eds3016ps1ns Firmware

    OS
    Lantronix
    3.1.0.0r2
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2025-67039CRITICAL9.1PL ✓ten sam produkt

Pominięcie uwierzytelnienia w urządzeniach Lantronix EDS3000PS

CVE-2025-67041CRITICAL9.8PL ✓ten sam produkt

Command injection w parametrze host klienta TFTP urządzeń Lantronix EDS3000PS

CVE-2025-67038CRITICAL9.8⚠ KEVPL ✓ten sam vendor

Command injection w Lantronix EDS5000 – wykonanie poleceń jako root

CVE-2025-67035CRITICAL9.8PL ✓ten sam vendor

OS command injection w Lantronix EDS5000 — wykonanie kodu jako root

CVE-2021-21872CRITICAL9.9ten sam vendor

An OS command injection vulnerability exists in the Web Manager Diagnostics: Traceroute functionality of Lantr...