CVE-2025-2567 "Lantronix Missing Authentication for Critical Function" vulnerability.

The vulnerability 'CVE-2025-2567' has been resolved in the firmware version 8.0.0.0/8.1.0.0,

The latest firmware introduces the following changes by default:

• TFTP is disabled.

• Incoming connections are disabled.

• Telnet authentication is enabled.

• The active incoming port is set to 0.

• A default password has been configured.

From firmware version 8.0.0.0 /8.1.0.0, the default password is enabled for both the Web-manager (GUI) and Telnet.
The new default settings will be functional after the device is factory reset.

A] The default password will be set as L@ntr0n1x, (the password includes ZERO and not O) for the below listed devices.
-> For xport 05, xpico, xpico110, xport Direct+ and Micro125,UDS1100 IAP, xPress DR(03) IAP and xPress DR+ IAP
-> For UDS1100, UDS2100, SDS1101, SDS2101 and xPress DR manufactured before year 2020.

B] For xDirect, manufactured before year 2020, credentials are same as before.
Username: admin
Password: PASS

C] The default password is last 8 bytes of Device ID for UDS1100, UDS2100, SDS1101, SDS2101, xPress DR, xDirect, UDS1100 IAP, xPress DR(03) IAP and xPress DR+ IAP manufactured after year 2020.

NOTE: The new default settings/changes will be functional after the device is factory reset.

Users are strongly advised to replace the default password with a unique and secure one after first login or factory default the device.

Please refer to the following link for instructions to address the issue of Missing Authentication for Critical Function.

[Originally Published On: 04/28/2025 09:52 AM]