A critical command injection vulnerability in Lantronix EDS3000PS device servers allows attackers to execute arbitrary commands with root privileges, leading to full device compromise.

The host parameter within the TFTP client on the Filesystem Browser page is not properly sanitized. An attacker can use shell metacharacters to escape the intended command and execute arbitrary system commands with root-level authority on the device.

This vulnerability allows for the complete takeover of the device server. Since these devices often bridge serial equipment to IP networks, a compromise could result in the loss of control over industrial or medical equipment. The CVSS score of 9.8 reflects the extreme severity of achieving root access via a network-based attack.

Immediate Action: Update the Lantronix EDS3000PS firmware to the latest version provided by the vendor.

Proactive Monitoring: Monitor the web management interface for unusual input patterns in the TFTP configuration fields and review system logs for unauthorized root access.

Compensating Controls: Disable the web management interface if not required, or restrict access to the management IP using a dedicated management VLAN and hardware firewall.

Public Exploit Available: false

Root-level command injection poses a terminal risk to device security. It is imperative that all affected Lantronix units are updated immediately. If a patch is not available, the device should be shielded from the network to prevent exploitation.