Product Security Advisory - Lantronix Device Servers (CVE-2025-2567)

OVERVIEW

Traka has been informed about a vulnerability report, CVE-2025-2567 and initially identified in icsa-25-105-05, concerning Lantronix XPort and UDS2100 device servers. This issue impacts the following Traka solutions that use these devices:

First-generation Key Management with separate keypad and LCD
First-generation Equipment Management (Lockers) with separate keypad and LCD
First-generation Access Control Equipment with separate keypad and LCD systems

These are commonly referred to as Traka 8-bit and 16-bit systems.

The vulnerability is discussed on the Lantronix website: CVE-2025-2567 Lantronix XPort Missing Authentication for Critical Function vulnerability

The critical vulnerability scoring system (CVSS) has rated this as a critical vulnerability with a rating of 9.3 and we therefore recommend immediate remedial action.

NEXT STEPS

The following products are in scope of this vulnerability announcement.

Traka 8-bit and 16-bit systems, regardless of connected software platform, meeting the following criteria:

Fitted with Lantronix XPort-03, XPort-04, XPort-05 - a component fitted to the 8-bit/16-bit control board, accessible behind the system’s front panel.
Fitted with Lantronix UDS2100 – connected externally to the 8-bit/16-bit control board but typically located behind the Traka system’s front panel. UDS2100 is used for Traka32 with TACLS/RTUS (Real Time Update) scenarios.

If you are unsure, please contact Traka Technical Support.

It is important to note that the remediation process differs depending upon the Lantronix Device Server identified.

For Traka systems with a Lantronix XPort-05 or Lantronix UDS2100 fitted to the control board, Lantronix have released a firmware update which can be obtained from the Lantronix website, but we recommend that you follow the below documented steps in context of Traka products.

For Traka systems fitted with a Lantronix XPort-03 or XPort-04 device server, at the time of writing, there is no firmware available to mitigate the identified vulnerability. However, Lantronix have issued guidance to provide mitigations, also covered in the below document.

For information on how to identify the specific device servers, how to mitigate the vulnerability for each component and additional resources, please read “TD0226 - CVE– 2025-2567 remediation guide for Lantronix Device Servers”.

REFERENCES

Lantronix Article on CVE-2025-2567 - https://ltrxdev.atlassian.net/wiki/spaces/LTRXTS/pages/3130916865/CVE-2025-2567+Lantronix+XPort+Missing+Authentication+for+Critical+Function+vulnerability

Traka Remediation Documentation - TD0226 - CVE-2025-2567 remediation guide for Lantronix Device Servers - V1_0

NIST Vulnerability Database - CVE - https://nvd.nist.gov/vuln/detail/CVE-2025-2567

CISA ICS Advisory - https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-05

CONTACT INFORMATION

If you would like more information or require technical support, please contact Traka Oceania Support.

Service Desk: https://my.traka.com.au

Email: support.oceania@traka.com

Phone: +61 1800 666 110

Published: 5/27/2025 at 5:10 PM

Product Security Advisory - Lantronix Device Servers (CVE-2025-2567)

Share this article