CVE-2025-2567 "Lantronix Missing Authentication for Critical Function" vulnerability
CVE-2025-2567 "Lantronix Missing Authentication for Critical Function" vulnerability.
The vulnerability 'CVE-2025-2567' has been resolved in the firmware version 8.0.0.0/8.1.0.0,
The latest firmware introduces the following changes by default:
TFTP is disabled.
Incoming connections are disabled.
Telnet authentication is enabled.
The active incoming port is set to 0.
A default password has been configured.
From firmware version 8.0.0.0 /8.1.0.0, the default password is enabled for both the Web-manager (GUI) and Telnet.
The new default settings will be functional after the device is factory reset.
A] The default password will be set as L@ntr0n1x, (the password includes ZERO and not O) for the below listed devices.
-> For xport 05, xpico, xpico110, xport Direct+ and Micro125,UDS1100 IAP, xPress DR(03) IAP and xPress DR+ IAP
-> For UDS1100, UDS2100, SDS1101, SDS2101 and xPress DR manufactured before year 2020.
B] For xDirect, manufactured before year 2020, credentials are same as before.
Username: admin
Password: PASS
C] The default password is last 8 bytes of Device ID for UDS1100, UDS2100, SDS1101, SDS2101, xPress DR, xDirect, UDS1100 IAP, xPress DR(03) IAP and xPress DR+ IAP manufactured after year 2020.
NOTE: The new default settings/changes will be functional after the device is factory reset.
Users are strongly advised to replace the default password with a unique and secure one after first login or factory default the device.
Please refer to the following link for instructions to address the issue of Missing Authentication for Critical Function.
[Originally Published On: 04/28/2025 09:52 AM]