XML External Entity Vulnerability in Lantronix Device Installer
CVE-2025-4338

6.9MEDIUM

Key Information:

Vendor: Lantronix
Status: Device Installer
Vendor: CVE Published:; 22 May 2025

What is CVE-2025-4338?

The Lantronix Device Installer is susceptible to XML External Entity (XXE) attacks, which can occur through configuration files fetched from network devices. An attacker exploiting this vulnerability could potentially retrieve sensitive information such as user credentials and may further gain unauthorized access to the network devices. This access allows attackers to alter configurations and could lead to unauthorized modifications on the host machine running the Device Installer software, including exposure of the password hash of the user operating the application.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Device Installer 0 <= 4.4.0.7

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

https://www.lantronix.com/products/lantronix-provisioning...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
May 22, 2025

JSON

Lantronix