IAP-Firmware: CVE-2025-2567 "Lantronix Missing Authentication for Critical Function" vulnerability.

The vulnerability 'CVE-2025-2567' has been resolved in the IAP firmware version 5.0.0.0.

The latest firmware introduces the following changes by default:

• TFTP is disabled.

• Telnet authentication is enabled.

• The default modbus port is set to 0.

• A default password has been configured.

 
The new default settings will be functional after the device is factory reset.
A] The default password will be set as L@ntr0n1x, (the password includes ZERO and not O) for the below listed devices.
-> For xport-05-IAP, UDS1100-IAP, xPress DR+ and XPress DR-IAP manufactured before year 2020.

B] For xDirect-IAP, manufactured before year 2020, credentials are same as before.
Username: admin
Password: PASS

C] The default password is last 8 bytes of Device ID for UDS1100-IAP, XPress DR-IAP, xPress DR+ and xDirect-IAP manufactured after year 2020.

NOTE: The new default settings/changes will be functional after the device is factory reset.

Users are strongly advised to replace the default password with a unique and secure one after first login or factory default the device.

Please refer to the following link for instructions to address the issue of Missing Authentication for Critical Function.

[Originally Published On: 04/28/2025 09:52 AM]