lantronix 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に パス処理の欠陥 and バッファオーバーフロー などに関し、一部は アプリケーションクラッシュ を招き、vendor surface software deployment and vendor surface production workloads 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-70082 | An issue in Lantronix EDS3000PS v.3.1.0.0R2 allows an attacker to execute arbitrary code and obtain sensitive information via the ltrx_evo component | [email protected] | 9.8 | 0.50% | 2026-03-11 | 2026-06-23 |
| CVE-2025-67041 | An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This can be exploited to escape from the original command and execute an arbitrary one with root privileges. | [email protected] | 9.8 | 0.43% | 2026-03-11 | 2026-06-23 |
| CVE-2025-67039 | An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The authentication on management pages can be bypassed by appending a specific suffix to the URL and by sending an Authorization header that uses "admin" as the username. | [email protected] | 9.1 | 0.39% | 2026-03-11 | 2026-06-23 |
| CVE-2025-67038 KEV | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The HTTP RPC module executes a shell command to write logs when user's authantication fails. The username is directly concatenated with the command without any sanitization. This allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges. | [email protected] | 9.8 | 1.13% | 2026-03-11 | 2026-06-24 |
| CVE-2025-67037 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "tunnel" parameter when killing a tunnel connection. Injected commands are executed with root privileges. | [email protected] | 8.8 | 0.38% | 2026-03-11 | 2026-06-17 |
| CVE-2025-67036 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The Log Info page allows users to see log files by specifying their names. Due to a missing sanitization in the file name parameter, an authenticated attacker can inject arbitrary OS commands that are executed with root privileges. | [email protected] | 8.8 | 0.38% | 2026-03-11 | 2026-06-23 |
| CVE-2025-67035 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. The SSH Client and SSH Server pages are affected by multiple OS injection vulnerabilities due to missing sanitization of input parameters. An attacker can inject arbitrary commands in delete actions of various objects, such as server keys, users, and known hosts. Commands are executed with root privileges. | [email protected] | 9.8 | 0.43% | 2026-03-11 | 2026-06-23 |
| CVE-2025-67034 | An issue was discovered in Lantronix EDS5000 2.1.0.0R3. An authenticated attacker can inject OS commands into the "name" parameter when deleting SSL credentials through the management interface. Injected commands are executed with root privileges. | [email protected] | 8.8 | 0.49% | 2026-03-11 | 2026-06-23 |
| CVE-2023-7237 | Lantronix XPort sends weakly encoded credentials within web request headers. | [email protected] | 5.7 | 0.30% | 2024-01-23 | 2026-06-17 |
| CVE-2021-21896 | A directory traversal vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file deletion. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 6.5 | 2.16% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21895 | A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to FsTFtp file overwrite. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 7.2 | 2.34% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21894 | A directory traversal vulnerability exists in the Web Manager FsTFtp functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary file overwrite FsTFtp file disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.1 | 2.40% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21892 | A stack-based buffer overflow vulnerability exists in the Web Manager FsUnmount functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.9 | 30.44% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21891 | A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletefile). An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.1 | 2.99% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21890 | A stack-based buffer overflow vulnerability exists in the Web Manager FsBrowseClean functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution in the vulnerable portion of the branch (deletedir). An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.1 | 2.99% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21889 | A stack-based buffer overflow vulnerability exists in the Web Manager Ping functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.9 | 2.84% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21888 | An OS command injection vulnerability exists in the Web Manager SslGenerateCertificate functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to arbitrary command execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.1 | 3.89% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21887 | A stack-based buffer overflow vulnerability exists in the Web Manager SslGenerateCSR functionality of Lantronix PremierWave 2050 8.9.0.0R4 (in QEMU). A specially crafted HTTP request can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 9.1 | 2.99% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21886 | A directory traversal vulnerability exists in the Web Manager FSBrowsePage functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to information disclosure. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 4.3 | 1.88% | 2021-12-22 | 2026-06-16 |
| CVE-2021-21885 | A directory traversal vulnerability exists in the Web Manager FsMove functionality of Lantronix PremierWave 2050 8.9.0.0R4. A specially crafted HTTP request can lead to local file inclusion. An attacker can make an authenticated HTTP request to trigger this vulnerability. | [email protected] | 7.2 | 2.39% | 2021-12-22 | 2026-06-16 |