How ZeroPath Works
Back to Blog

Fueling Danger: Critical Authentication Flaw in Lantronix Xport (CVE-2025-2567)

A critical missing authentication vulnerability in Lantronix Xport devices (CVE-2025-2567) threatens fuel monitoring systems, risking severe operational disruptions and safety hazards.
CVE Analysis

6 min read

ZeroPath Security Research

ZeroPath Security Research

2025-04-15

Fueling Danger: Critical Authentication Flaw in Lantronix Xport (CVE-2025-2567)
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A critical vulnerability in Lantronix Xport devices (CVE-2025-2567) has emerged, posing severe risks to fuel monitoring systems and critical infrastructure. This missing authentication flaw allows attackers to remotely manipulate Automatic Tank Gauge (ATG) systems, potentially leading to severe operational disruptions, environmental contamination, and safety hazards.

Affected Systems and Versions

The vulnerability specifically affects Lantronix Xport firmware versions 6.5.0.7 through 7.0.0.3. Devices running these firmware versions are vulnerable to remote exploitation without authentication.

Technical Information

The flaw (CWE-306) resides in the web-based configuration interface of Lantronix Xport devices. Attackers can exploit this vulnerability by sending unauthenticated HTTP POST requests to the /cfg/network endpoint. This allows attackers to disable TLS encryption, modify SNMP community strings, and deactivate firmware signature verification. Consequently, attackers can upload malicious firmware, intercept MODBUS/TCP communications, and manipulate ATG parameters, including disabling leak detection and altering tank volume thresholds.

Attack vectors include remote exploitation with minimal complexity, requiring no user interaction or advanced techniques.

Patch Information

Lantronix has released firmware version 7.0.0.4, addressing this vulnerability by implementing HMAC-SHA256 authentication for configuration changes. Organizations should immediately upgrade to this version or later. Additionally, network segmentation and resetting default SNMP community strings are recommended as immediate mitigations.

Detection Methods

Indicators of compromise include:

  • HTTP POST requests containing "auth": null in JSON payloads.
  • Unexpected firmware files with .enc extensions in /var/updates.
  • Connections to port 10001/TCP from suspicious IP addresses, including TOR exit nodes.

Vendor Security History

Lantronix has historically exhibited slower patch response times compared to industry peers, highlighting systemic challenges in securing legacy industrial devices. This vulnerability persisted across multiple firmware versions over an extended period before being addressed.

References

Detect & fix
what others miss

Get startedBook a demo