XML External Entity Vulnerability in Lantronix Device Installer
CVE-2025-4338

6.9MEDIUM

Key Information:

Vendor: Lantronix
Status: Device Installer
Vendor: CVE Published:; 22 May 2025

What is CVE-2025-4338?

The Lantronix Device Installer is susceptible to XML External Entity (XXE) attacks, which can occur through configuration files fetched from network devices. An attacker exploiting this vulnerability could potentially retrieve sensitive information such as user credentials and may further gain unauthorized access to the network devices. This access allows attackers to alter configurations and could lead to unauthorized modifications on the host machine running the Device Installer software, including exposure of the password hash of the user operating the application.

Affected Version(s)

Device Installer 0 <= 4.4.0.7

References

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

https://www.lantronix.com/products/lantronix-provisioning...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025