CVE-2025-4338 MEDIUM

CVE-2025-4338: Lantronix Device Installer Improper Restriction of XML External Entity Reference

Vendor Lantronix
Product Device Installer
Weakness CWE-611 · XXE
Published May 22, 2025
Last update May 23, 2025

CVSS base score

6.9/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Lantronix Device installer is vulnerable to XML external entity (XXE) attacks in configuration files read from the network device. An attacker could obtain credentials, access these network devices, and modify their configurations. An attacker may also gain access to the host running the Device Installer software or the password hash of the user running the application.

Key dates

02Disclosure timeline

May 22, 2025 CVE published
May 23, 2025 Record updated

Related vulnerabilities

04Related CVE