CVE-2025-67038 is a CISA KEV-confirmed, actively exploited OS command injection flaw in the Lantronix EDS5000 serial-to-Ethernet device server, with a CISA remediation deadline of June 26, 2026 — today. The vulnerability allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges via the device’s HTTP RPC module, achieving full device takeover. Organizations running EDS5000 units as OT or ICS network bridges face immediate risk of device compromise, serial-connected equipment manipulation, and lateral movement into operational technology networks.