The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday warned of active exploitation of a critical security flaw impacting Lantronix EDS5000 Series devices, urging Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by June 26, 2026.
The vulnerability in question is CVE-2025-67038 (CVSS score: 9.8), a code injection flaw that could result in the execution of arbitrary commands with elevated privileges.
"The HTTP RPC module executes a shell command to write logs when the user's authentication fails," according to the vulnerability's description on CVE.org. "The username is directly concatenated with the command without any sanitization. This allows attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges."
The security flaw was disclosed by Forescout Research Vedere Labs in April 2026 as part of a broader set of vulnerabilities collectively codenamed BRIDGE:BREAK that impacted serial-to-IP converters from Lantronix and Silex. There are currently no details on how the vulnerability is being exploited, or who is behind the efforts.
The disclosure comes as CISA also confirmed active exploitation of three maximum-severity security defects in Ubiquity UniFi OS, days after Defused Cyber said it detected in-the-wild abuse of the remote code execution chain comprising CVE-2026-34908, CVE-2026-34909, and CVE-2026-34910 to deploy commodity malware.
- CVE-2026-34908 - An improper input validation vulnerability that could allow a malicious actor with access to the network to conduct command injection
- CVE-2026-34909 - A path traversal vulnerability that could allow a malicious actor with access to the network to access files on the underlying system that could be manipulated to access an underlying account.
- CVE-2026-34910 - An improper access control vulnerability that could allow a malicious actor with access to the network to make unauthorized changes to the system.
Earlier this month, Bishop Fox detailed a proof-of-concept (PoC) that chains together the three shortcomings to obtain a reverse shell with full root privileges in a single request. Patches for the flaws were released by Ubiquiti late last month.
"The vulnerabilities could allow remote attackers to make unauthorized system changes, access sensitive files, disclose information, or execute arbitrary commands on vulnerable systems, highly impacting the confidentiality, integrity, and availability of targeted devices," Belgium's Centre for Cybersecurity said.
"Given that UniFi OS devices are often centrally integrated into networks, successful compromise could enable lateral movement and broader network compromise."
Lantronix Flaw Exploited as an N-Day
In a new report published on June 25, 2026, Forescout Research Vedere Labs said it observed a threat actor it calls Chaya_006 targeting its honeypots by exploiting CVE-2025-67038 as far back as April 5, a little more than two weeks before the BRIDGE:BREAK flaws were publicly disclosed by the operational technology security company, but after they were patched by Lantronix on February 20.
"This means the attackers did not use information from our report, but may have reverse-engineered the patch to build an exploit," the company said. "That exploit was part of a cluster of activity focusing on Lantronix that also included other reconnaissance actions."
The attack activity originated from the IP addresses "38.207.136[.]2" and "218.13.42[.]36," with the threat actors attempting to inject arbitrary commands by sending crafted requests to the "/cgi-bin/luci/rpc/auth" endpoint. The exploit attempts took place between April 5 and June 3, 2026.
"This specific vulnerability happens because LuCI's HTTP JSON-RPC module on affected devices writes a log entry after failed authentication attempts," Forescout added. "The username is concatenated into the log string without input sanitization, and the log string is then executed on the system using os.execute. This can allow attackers to execute commands as root by injecting these commands into the username parameter of an authentication attempt on cgi-bin/luci/rpc/auth."
Separately, the cybersecurity company said it detected a parallel set of exploit attempts between January 28 and June 6, 2026, that targeted Lantronix and other honeypots with over 4,100 brute-force attempts against OpenWRT LuCI credentials. Four usernames and over 200 different password combinations were attempted as part of these attacks.
A search on Shodan shows that there are about 31,850 internet-exposed devices currently running OpenWRT LuCI, out of which about 5,000 are flagged as honeypots. Organizations are recommended to apply the patches for Lantronix devices immediately, replace default credentials, avoid using weak passwords, and enforce network segmentation.
(The story was updated after publication on June 26, 2026, to include insights from Forescout.)
