An issue was discovered in Lantronix EDS3000PS 3.1.0.0R2. The host parameter of the TFTP client in the Filesystem Browser page is not properly sanitized. This c…

A critical command injection vulnerability was discovered in Lantronix EDS3000PS version 3.1.0.0R2. The vulnerability exists in the TFTP client's host parameter within the Filesystem Browser page, which lacks proper input sanitization. Attackers can exploit this flaw to escape from the original command context and execute arbitrary commands with root privileges. This represents a severe security risk as it allows complete system compromise through privilege escalation. The vulnerability affects industrial network infrastructure devices commonly used in critical environments.