U.S. Cybersecurity and Infrastructure Security Agency has issued a warning that attackers are actively exploiting a critical security flaw affecting Lantronix EDS5000 Series devices and has directed Federal Civilian Executive Branch agencies to install available security updates by June 26, 2026. The vulnerability, tracked as CVE 2025 67038 and assigned a CVSS severity score of 9.8, is a command injection flaw that allows attackers to execute arbitrary operating system commands with root level privileges. According to the vulnerability description, the issue exists in the HTTP Remote Procedure Call module, where failed authentication attempts trigger a shell command that writes log entries. Because the supplied username is directly appended to the command without proper input validation or sanitization, attackers can inject malicious operating system commands through the username field, resulting in command execution with elevated privileges. The flaw was originally disclosed by Forescout Research Vedere Labs in April 2026 as part of a broader collection of vulnerabilities known as BRIDGE BREAK, which affected serial to IP converter products manufactured by Lantronix and Silex. Although CISA confirmed active exploitation, the agency has not disclosed details regarding the threat actors responsible or the specific attacks observed.
The warning comes as CISA also confirmed active exploitation of three maximum severity vulnerabilities affecting Ubiquiti UniFi OS devices. The flaws, tracked as CVE 2026 34908, CVE 2026 34909, and CVE 2026 34910, can be chained together to achieve remote code execution and full root access on vulnerable systems. Security researchers previously demonstrated that the three vulnerabilities could be exploited together in a single request to obtain a reverse shell with complete administrative privileges. Patches addressing these issues were released by Ubiquiti during the previous month. Belgium’s Centre for Cybersecurity warned that successful exploitation of the UniFi OS vulnerabilities could enable attackers to make unauthorized configuration changes, access sensitive files, disclose confidential information, execute arbitrary commands, and potentially move laterally throughout connected enterprise networks. Because UniFi OS devices frequently serve as centralized network management platforms, researchers cautioned that compromising these systems could significantly impact the confidentiality, integrity, and availability of enterprise environments. Separate reports also indicated that attackers have already used the remote code execution chain to deploy commodity malware against vulnerable devices.
Forescout Research Vedere Labs has since released additional findings showing that exploitation attempts against the Lantronix vulnerability began as early as April 5, 2026, more than two weeks before the BRIDGE BREAK research was publicly disclosed but after Lantronix had already released patches on February 20. According to researchers, this timeline suggests attackers may have reverse engineered the vendor’s security update to develop a working exploit instead of relying on publicly available technical details. Forescout attributed the activity to a threat actor it tracks as Chaya_006, which targeted internet connected honeypot systems using crafted requests directed at the “/cgi-bin/luci/rpc/auth” endpoint. Attackers attempted to inject operating system commands through specially crafted authentication requests between April 5 and June 3, 2026. Researchers explained that the vulnerability exists because the LuCI HTTP JSON RPC authentication module generates log entries after failed login attempts by passing unsanitized username values directly into the operating system through an execution function. This implementation flaw enables attackers to execute arbitrary commands with root privileges simply by manipulating the username field during authentication attempts.
In addition to exploiting the command injection vulnerability, Forescout identified a separate campaign targeting OpenWRT LuCI authentication interfaces between January 28 and June 6, 2026. Researchers recorded more than 4,100 brute force login attempts against Lantronix and other internet facing honeypot systems, with attackers repeatedly testing four common usernames alongside more than 200 password combinations. Internet scanning data collected through Shodan indicates that approximately 31,850 OpenWRT LuCI devices remain accessible from the public internet, including around 5,000 systems identified as honeypots. Security researchers advised organizations using affected Lantronix products to immediately install available patches, replace default credentials, enforce strong and unique passwords, and implement network segmentation to reduce the risk of unauthorized access and limit potential lateral movement within enterprise environments. These recommendations are intended to reduce exposure as attackers continue targeting vulnerable network infrastructure devices through both software vulnerabilities and credential based attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
