Lantronix Device Installer

MonitorCVSS 6.8ICS-CERT ICSA-25-142-01May 22, 2025

Lantronix

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Lantronix Device Installer versions 4.4.0.7 and earlier contain an XML external entity (XXE) injection vulnerability (CWE-611) that could allow an attacker with local or adjacent network access to execute code or access data on the host workstation if a user opens a malicious file. Device Installer reached end-of-support in 2018 and will not receive security updates. No public exploitation has been reported, and the vulnerability is not remotely exploitable over the internet.

What this means

What could happen

An attacker with local access to a workstation running Device Installer could execute arbitrary code or access sensitive data on that machine, potentially compromising configuration details for managed devices. Since Device Installer is end-of-life, no patches will be released.

Who's at risk

IT/OT staff at utilities and infrastructure operators who use Lantronix Device Installer for network device provisioning and management. This includes system administrators managing remote terminal servers, console servers, and network appliances. The risk is highest for organizations still using this end-of-life tool in production environments.

How it could be exploited

An attacker must have local or adjacent network access to a workstation running Device Installer and trick a user into interacting with a malicious file (likely XML-based, given the CWE-611 XXE vulnerability). The attacker cannot exploit this remotely over the internet.

Prerequisites

Local or adjacent network (AV:A) access to the workstation running Device Installer
User interaction required (UI:R) - user must open or interact with a malicious file
No authentication credentials required

No patch available (end-of-life product)Local/adjacent network access required but no authentication neededUser interaction required reduces but does not eliminate riskSocial engineering vector via email or file sharing

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Device Installer: <=4.4.0.7≤ 4.4.0.7No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate workstations running Device Installer from the business network; restrict network access to only authorized personnel and devices

WORKAROUNDDisable email attachments and web links for users who operate Device Installer; implement email filtering to block suspicious attachments

HARDENINGPlace Device Installer workstations behind firewall rules that block inbound connections from untrusted networks and limit outbound connections

Long-term hardening

0/1

HOTFIXMigrate to Lantronix Provisioning Manager or equivalent supported device management solution

Mitigations - no patch available

0/1

Device Installer: <=4.4.0.7 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGTrain staff not to open unsolicited files or click links in unexpected emails, especially on workstations with access to sensitive device configuration

CVEs (1)

CVE-2025-4338

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd1d6dd5-1a25-4008-b468-6e647fdd44ea

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.