FILTERING BY: CLEAR FILTER

Critical OS Command Injection in Lantronix EDS5000 Series

CVE-2025-67038 is a critical OS command injection vulnerability affecting Lantronix EDS5000 series serial-to-Ethernet device servers. An unauthenticated remote attacker can achieve root-level system compromise by injecting arbitrary shell commands via the username parameter. With a CVSS score of 9.8 and confirmed active exploitation in the wild, the flaw enables full device takeover and potential lateral movement into sensitive industrial or management networks. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal remediation by June 26, 2026.

CVE-2026-12850: Critical Command Injection in GeoVision GV-I/O Box

CVE-2026-12850 is a critical OS command injection vulnerability (CWE-78) affecting the GeoVision GV-I/O Box, specifically version 4E 2.09. The flaw resides within the libNetSetObj.so shared object library, which manages network objects. Unauthenticated attackers can execute arbitrary system commands by injecting shell metacharacters into crafted inputs passed to the affected library. Successful exploitation grants full administrative access, enabling unauthorized control over connected physical security hardware, such as electronic locks and alarms, while providing a pivot point for lateral movement into sensitive security VLANs. Immediate firmware updates are required to neutralize this risk.


LINK COPIED TO CLIPBOARD