CVE-2025-67038 is a CISA KEV-listed critical OS command injection vulnerability in the Lantronix EDS5000 serial device server, allowing unauthenticated attackers to execute arbitrary commands as root through the username parameter of the authentication interface. With an active exploitation confirmation from CISA and a remediation due date of June 26, 2026, organizations running EDS5000 units in OT, industrial, or network management environments are past the acceptable response window.