CVE-2025-67038 is a CISA KEV-confirmed critical OS command injection in the Lantronix EDS5000 serial device server that allows unauthenticated remote attackers to execute arbitrary commands as root. The federal remediation deadline is June 26, 2026. A companion RCE vulnerability (CVE-2025-67037) affects the same product, indicating a cluster of critical flaws in this serial-to-IP device line used widely in OT and facility environments.