CVE-2025-67038 – EDS 5000
Key findings
- We identified an activity cluster in our research honeypot, Chaya_006, targeting Lantronix serial-to-IP converters by exploiting CVE-2025-67038.
- Exploitation occurred after a patch was released by Lantronix but before public details about the vulnerability were available. The exploited honeypot was not running the latest patched Lantronix firmware.
- We observed 4,100+ brute force login attempts against devices running OpenWRT between January 28th and June 6th.
- Approximately 32,000 internet-exposed devices are running OpenWRT LuCI, with publicly-available tools capable of brute forcing them.
This activity highlights how attackers are rapidly weaponizing vulnerabilities in edge and IoT devices—often before public disclosure—while simultaneously targeting widely deployed platforms like OpenWRT at scale.
Mitigation
- Patch vulnerable Lantronix devices immediately. Lantronix released two firmware updates on February 20th 2026 to address the issues we disclosed on BRIDGE:BREAK – 2.2.0.0R1 for EDS5000 series.
- Upgrade other devices running OpenWRT to the latest firmware versions.
- Replace default credentials, and prohibit weak passwords, to reduce the risk of brute force attacks and exploitation of authenticated vulnerabilities.
- Segment networks to prevent threat actors from reaching vulnerable devices, such as serial-to-IP converters, or using them to compromise other critical assets.
Questions
Contact our team with any questions or concerns at [email protected]