Targeting of OpenWrt-derived platforms exposes OT edge gaps

Threat summary

On June 29, 2026, researchers reported on a campaign involving exploitation of a critical vulnerability affecting Lantronix EDS5000 devices alongside continued reconnaissance and brute-force activity targeting internet-exposed OpenWrt LuCI management interfaces. Researchers observed more than 4,100 brute-force attempts against OpenWrt LuCI systems between January and June 2026 and identified approximately 32,000 internet-exposed devices, demonstrating the scale of exposed edge infrastructure.

On June 23, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the latest such vulnerability, affecting Lantronix EDS5000 devices, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation. Lantronix EDS5000 devices connect legacy serial equipment such as programmable logic controllers, sensors, and other industrial systems to Internet Protocol (IP) networks. These devices often sit at the edge of operational technology (OT) environments, making them attractive targets for initial access.

CVE-2025-67038 is a critical unauthenticated operating system (OS) command injection vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.8. The flaw exists in the LuCI HTTP JSON‑RPC authentication module used in Lantronix’s modified OpenWrt‑based firmware. The vulnerability occurs because the username parameter is concatenated into a log string without sanitization, and that string is later executed via `os.execute`, allowing a remote adversary to run commands as root through crafted authentication attempts. Active exploitation was observed alongside reconnaissance and credential attacks targeting LuCI management interfaces.

Successful exploitation provides full control of the affected device, creating opportunities for persistence, access to connected systems, and movement into industrial environments. Because these devices often bridge external and internal networks, a compromise can provide a pathway into operational technology infrastructure.

Researchers also noted previously exploited LuCI-related vulnerabilities, including CVE-2023-1389, a vulnerability that affected TP-Link Archer AX21 routers and was heavily exploited by botnets.

Researchers track the current activity as Chaya_006, a cluster associated with reconnaissance and repeated authentication probes against LuCI RPC endpoints. No public attribution to a specific threat actor has been reported.

Analysis

The Lantronix vulnerability reflects a broader challenge affecting OpenWrt-based edge infrastructure. OpenWrt and its LuCI management interface are widely used in industrial routers, gateways, and networking devices, making them frequent targets for both vulnerability research and exploitation. Because these platforms are deployed across a large number of internet-connected devices, a single vulnerability or exposed management interface can create opportunities to compromise systems across multiple environments.

The risk is not necessarily in OpenWrt itself, but in how vendors customize it. Many manufacturers add their own authentication mechanisms, management features, scripts, and web interfaces on top of the underlying platform. Vulnerabilities often emerge within these custom components, allowing similar issues to appear across products from different vendors that share a common software foundation.

OpenWrt-based devices are commonly deployed at the edge of enterprise and operational technology (OT) networks, where they provide remote access, site connectivity, telemetry collection, and device management. Their position between external and internal networks makes them attractive targets for adversaries seeking initial access, reconnaissance opportunities, persistence, or movement into connected environments. Successful exploitation of CVE‑2025‑67038 can result in full control of an affected device, while the broader targeting of OpenWrt-based infrastructure highlights continued adversary interest in edge systems that provide connectivity into business and OT networks.

Organizations using Lantronix EDS5000 devices should prioritize deployment of the latest firmware version, released on or after February 20, 2026, which addresses CVE‑2025‑67038.

Visibility into internet-facing routers, gateways, and other edge devices can help identify affected systems, validate patch levels, and support ongoing vulnerability management.

Strong authentication practices, including the removal of default credentials and the use of robust passwords, can reduce exposure to brute-force activity targeting LuCI management interfaces.

Limiting access to web management interfaces to trusted management networks reduces exposure to both known vulnerabilities and credential attacks.

Network segmentation can help contain the impact of a compromised edge device, while monitoring for repeated authentication attempts, unusual administrative activity, and unexpected HTTP Remote Procedure Call (RPC) requests can provide early visibility into reconnaissance, brute-force activity, and exploitation attempts targeting OpenWrt-derived systems.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up