CVE-2025-67038 — Lantronix EDS5000 serial-to-IP converter: unauthenticated OS command injection to root, first BRIDGE:BREAK flaw added to CISA KEV

CVE-2025-67038 (CVSS 9.8) is an OS command-injection flaw in the Lantronix EDS5000-series serial-to-IP device servers (EDS5008/5016/5032): the HTTP management interface concatenates an unsanitised request parameter into a shell command, letting an unauthenticated remote attacker execute commands as root. It is one of the 22 vulnerabilities Forescout Vedere Labs disclosed in April 2026 as BRIDGE:BREAK, covering Lantronix and Silex serial-to-Ethernet converters (Forescout Vedere Labs, 2026-04-21; SecurityWeek, 2026-04-20). CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog on 2026-06-23 — the first confirmed in-the-wild exploitation of any BRIDGE:BREAK CVE, which makes it a priority for any operator who deferred the April advisory. EDS5000 units bridge legacy serial OT/ICS equipment (PLCs, relays, meters) onto IP networks, so a compromise yields a foothold adjacent to field devices, not just the converter. Forescout's disclosure cites fixed firmware 2.0.0R1 for the EDS5000 series; because the KEV-era advisory references later builds (see § 7), confirm the running firmware against Lantronix's current advisory rather than a single version number. Maps to T1190 (Exploit Public-Facing Application). Mitigations: patch to the current EDS5000 firmware, replace default credentials, and segment serial-to-IP converters off any internet-reachable or flat OT segment; hunt management-interface auth logs for shell metacharacters in request fields and unexpected scans of TCP/80/443 on these devices.