CVE-2025-67038, an unauthenticated OS command injection vulnerability in the Lantronix EDS5000 serial-to-Ethernet device server, is actively exploited in the wild and listed in CISA’s KEV catalog with a June 26, 2026 remediation deadline for FCEB agencies. Successful exploitation grants root-level control of devices that sit at the OT/IT boundary, providing attackers with a foothold into connected legacy serial infrastructure. A related flaw (CVE-2025-67041) affects the EDS3000PS with similar RCE characteristics, suggesting a shared vulnerability pattern across the EDS product family.