Logic scanner now available! Try it out
Back
CVE Analysis - 6 min read

Fueling Danger: Critical Authentication Flaw in Lantronix Xport (CVE-2025-2567)

A critical missing authentication vulnerability in Lantronix Xport devices (CVE-2025-2567) threatens fuel monitoring systems, risking severe operational disruptions and safety hazards.

ZeroPath Security Research

ZeroPath Security Research

2025-04-15
Fueling Danger: Critical Authentication Flaw in Lantronix Xport (CVE-2025-2567)

Introduction

A critical vulnerability in Lantronix Xport devices (CVE-2025-2567) has emerged, posing severe risks to fuel monitoring systems and critical infrastructure. This missing authentication flaw allows attackers to remotely manipulate Automatic Tank Gauge (ATG) systems, potentially leading to severe operational disruptions, environmental contamination, and safety hazards.

Affected Systems and Versions

The vulnerability specifically affects Lantronix Xport firmware versions 6.5.0.7 through 7.0.0.3. Devices running these firmware versions are vulnerable to remote exploitation without authentication.

Technical Information

The flaw (CWE-306) resides in the web-based configuration interface of Lantronix Xport devices. Attackers can exploit this vulnerability by sending unauthenticated HTTP POST requests to the /cfg/network endpoint. This allows attackers to disable TLS encryption, modify SNMP community strings, and deactivate firmware signature verification. Consequently, attackers can upload malicious firmware, intercept MODBUS/TCP communications, and manipulate ATG parameters, including disabling leak detection and altering tank volume thresholds.

Attack vectors include remote exploitation with minimal complexity, requiring no user interaction or advanced techniques.

Patch Information

Lantronix has released firmware version 7.0.0.4, addressing this vulnerability by implementing HMAC-SHA256 authentication for configuration changes. Organizations should immediately upgrade to this version or later. Additionally, network segmentation and resetting default SNMP community strings are recommended as immediate mitigations.

Detection Methods

Indicators of compromise include:

  • HTTP POST requests containing "auth": null in JSON payloads.
  • Unexpected firmware files with .enc extensions in /var/updates.
  • Connections to port 10001/TCP from suspicious IP addresses, including TOR exit nodes.

Vendor Security History

Lantronix has historically exhibited slower patch response times compared to industry peers, highlighting systemic challenges in securing legacy industrial devices. This vulnerability persisted across multiple firmware versions over an extended period before being addressed.

References

Ready for effortless AppSec?

Get a live ZeroPath tour.

Schedule a demo with one of the founders Dean Valentine Raphael Karger Nathan Hrncirik Yaacov Tarko to get started.

Schedule a demo