Introduction
A critical vulnerability in Lantronix Xport devices (CVE-2025-2567) has emerged, posing severe risks to fuel monitoring systems and critical infrastructure. This missing authentication flaw allows attackers to remotely manipulate Automatic Tank Gauge (ATG) systems, potentially leading to severe operational disruptions, environmental contamination, and safety hazards.
Affected Systems and Versions
The vulnerability specifically affects Lantronix Xport firmware versions 6.5.0.7 through 7.0.0.3. Devices running these firmware versions are vulnerable to remote exploitation without authentication.
Technical Information
The flaw (CWE-306) resides in the web-based configuration interface of Lantronix Xport devices. Attackers can exploit this vulnerability by sending unauthenticated HTTP POST requests to the /cfg/network endpoint. This allows attackers to disable TLS encryption, modify SNMP community strings, and deactivate firmware signature verification. Consequently, attackers can upload malicious firmware, intercept MODBUS/TCP communications, and manipulate ATG parameters, including disabling leak detection and altering tank volume thresholds.
Attack vectors include remote exploitation with minimal complexity, requiring no user interaction or advanced techniques.
Patch Information
Lantronix has released firmware version 7.0.0.4, addressing this vulnerability by implementing HMAC-SHA256 authentication for configuration changes. Organizations should immediately upgrade to this version or later. Additionally, network segmentation and resetting default SNMP community strings are recommended as immediate mitigations.
Detection Methods
Indicators of compromise include:
- HTTP POST requests containing "auth": nullin JSON payloads.
- Unexpected firmware files with .encextensions in/var/updates.
- Connections to port 10001/TCP from suspicious IP addresses, including TOR exit nodes.
Vendor Security History
Lantronix has historically exhibited slower patch response times compared to industry peers, highlighting systemic challenges in securing legacy industrial devices. This vulnerability persisted across multiple firmware versions over an extended period before being addressed.
