CVE-2025-4338

MEDIUM

Lantronix Device installer - XXE

Title source: llm

Description

Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.

References (2)

[Various Sources] https://www.lantronix.com/products/lantronix-provisioning-manager/

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-25-142-01

Scores

CVSS v3 6.8

EPSS 0.0007

EPSS Percentile 20.3%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (1)

Lantronix/Device Installer < 4.4.0.7

Published May 22, 2025

Tracked Since Feb 18, 2026