CVE-2025-67038, a CVSS 9.8 OS command injection in the Lantronix EDS5000 serial-to-Ethernet device server, is confirmed under active exploitation and listed in the CISA KEV catalog with a federal remediation deadline of June 26, 2026. An unauthenticated remote attacker can inject arbitrary shell commands via the device’s username parameter, achieving root-level control of the unit and gaining direct access to any serial-connected industrial or legacy equipment. These devices sit at the OT/IT convergence boundary, meaning exploitation is not contained to the device itself.