BRIDGE:BREAK — 22 Vulnerabilities in Serial-to-Ethernet Converters Expose Critical Infrastructure

The Bridge Nobody Watches

Serial-to-Ethernet converters occupy one of the most dangerous blind spots in industrial security: they are critical, ubiquitous, and systematically neglected.

These devices — sold under names like Lantronix EDS, Silex SD, Moxa NPort — sit at the junction between the serial world and the IP world. A water treatment plant's flow sensor speaks RS-232. A substation's relay controller speaks RS-485. A hospital's nurse-call system speaks serial protocols that have not fundamentally changed since the 1980s. The converter translates that traffic to TCP/IP, making decades-old field equipment remotely manageable across modern Ethernet infrastructure.

In April 2026, Forescout Vedere Labs published BRIDGE:BREAK — a coordinated disclosure covering 22 new vulnerabilities across serial-to-Ethernet converters from Lantronix and Silex. The research found these devices routinely internet-exposed, carrying embedded Linux stacks loaded with unpatched open-source vulnerabilities, and in several cases exploitable by an unauthenticated attacker with a single HTTP request.

One of the resulting CVEs — CVE-2025-67038 — reached the CISA Known Exploited Vulnerabilities catalog on June 23, 2026, with a three-day federal remediation deadline confirming exploitation in the wild.

What Serial-to-Ethernet Converters Actually Do

The Lantronix EDS5000 series (EDS5008, EDS5016, EDS5032) are rack-mountable serial device servers with 8 to 32 RS-232/422/485 ports, each individually addressable over TCP/IP. They expose a web management interface for configuration, support SNMP and MQTT for monitoring, and can be set to operate as virtual COM ports transparently relaying serial data across IP networks. The EDS3000PS is a compact multi-port variant serving similar environments.

The Silex SD330-AC extends the same concept to wireless environments — bridging serial devices over Wi-Fi as well as Ethernet, relevant for building automation, retail, and healthcare settings where cabling is impractical.

What makes these devices peculiar security targets is their deployment context. They are not servers — they are infrastructure. They do not typically appear in asset inventories, are not enrolled in vulnerability management programs, and are almost never monitored for anomalous behavior. When an administrator patches servers and workstations, serial device servers frequently fall outside the scope of that process entirely.

Their firmware update mechanisms reflect this reality: Lantronix's EDS5000 requires manual download from an Atlassian wiki page and manual upload through the device's web interface. There is no automatic update, no fleet management push, no centralized patching.

And then there is the matter of internet exposure.

The Exposure Problem

Forescout's internet scanning identified approximately 20,000 serial-to-Ethernet converters reachable from the public internet — management interfaces exposed through firewalls that were either misconfigured, deliberately opened for remote access, or simply never restricted in the first place.

Open-source intelligence made the deployment context visible. Shodan results surfacing Lantronix and Silex devices revealed device configurations, internal IP topologies, and in some cases photographs published by facility operators showing the physical installation location — substations, water treatment buildings, and power grid relay rooms.

The profile of an internet-exposed serial device server is different from an internet-exposed database or web server. The serial device server is rarely managed actively. It may have the same configuration it was shipped with — default credentials, no firewall rules, management interface bound to all interfaces. It may not have received a firmware update since installation. And it sits directly in the path of serial communications to field devices: PLCs, meters, sensors, actuators, and protection relays.

The BRIDGE:BREAK Vulnerability Set

Forescout analyzed firmware images from five major serial-to-Ethernet converter vendors. Each image contained roughly 80 open-source software components, inherited roughly 2,255 known vulnerabilities in Linux kernel components alone, and carried approximately 89 publicly available exploits against those inherited components.

Against Lantronix and Silex specifically, the researchers identified 22 new vulnerabilities through direct firmware analysis and live device testing:

• 8 vulnerabilities in Lantronix products (EDS3000PS and EDS5000 series)
• 14 vulnerabilities in Silex products (SD330-AC)

The vulnerability classes span the full severity spectrum:

Most significant is that several vulnerabilities — including CVE-2025-67038 — require no authentication and no prior knowledge of device configuration. An internet-facing converter is exploitable with a single crafted HTTP request.

CVE-2025-67038: The KEV Entry

CVE-2025-67038 is the highest-profile vulnerability from the BRIDGE:BREAK disclosure, and the only one to reach the CISA Known Exploited Vulnerabilities catalog.

The vulnerability is in the EDS5000's HTTP RPC authentication module. When a login attempt fails, the device writes an authentication-failure log entry by constructing a shell command that includes the submitted username. The routine concatenates the raw username value into that shell string without sanitization or escaping.

An attacker submits a username containing shell metacharacters (;, &&, |, backticks) to the login endpoint. The log-write routine expands those characters as shell commands, executing them as root. No credentials are required — the injection occurs precisely during the pre-authentication phase. A single HTTP request achieves root-level command execution on the device.

CVSS 9.8 — network-accessible, zero complexity, no privileges, no user interaction, full confidentiality and integrity impact.

CISA published ICS Advisory ICSA-26-069-02 on March 10, 2026, coordinated with Forescout's disclosure. Lantronix released patched firmware (2.2.0.0R1) for the EDS5000 series. The CISA KEV addition on June 23, 2026 — more than three months after the patch — confirms that exploitation of unpatched or unreachable devices followed once the vulnerability was publicly known.

Three Attack Scenarios

Forescout's research went beyond demonstrating individual vulnerabilities to modelling what an attacker could accomplish after compromising a serial device server in a real operational environment. Three scenarios were demonstrated in lab conditions.

Denial of Service

An attacker who can reach the converter's management interface — or its serial-facing IP ports — can disrupt communications between field devices and control systems. The converter becomes a single point of failure for all the serial devices attached to it. In a power grid environment, disrupting the converter serving a protection relay cluster could prevent supervisory commands from reaching those relays. In water treatment, disrupting a converter serving flow and pressure sensors could force operators to manual control.

Lateral Movement

Serial-to-Ethernet converters are placed specifically to bridge network boundaries. A converter in a substation may sit on both an IT Ethernet segment and a field-device serial bus. An attacker who compromises the converter's embedded Linux OS can use it as a pivot: scanning and communicating with IP hosts on adjacent network segments that would otherwise be unreachable from the attacker's entry point.

This is the architectural paradox of these devices. They are deployed to bridge networks. Their bridging capability — the core product feature — is also what makes them valuable for lateral movement into non-routable network segments.

Data Tampering

The most operationally consequential attack demonstrated by Forescout involves modification of sensor readings in transit. The converter relays serial data between field sensors and the SCADA historian or control system. An attacker with root on the converter can intercept and modify that data in real time.

In the lab demonstration, Forescout manipulated temperature readings to oscillate between -40°C and +40°C on an otherwise stable sensor. The SCADA system accepted the manipulated values without indication of tampering. Control decisions based on those values — automation responses, alarm thresholds, operator alerts — would reflect fabricated physical state.

This attack does not require modifying the PLC, the sensor, or the SCADA software. It requires only root access to a Linux device that most industrial security programs do not monitor.

The Inherited Vulnerability Crisis

The most structurally significant finding in BRIDGE:BREAK is not the 22 new vulnerabilities. It is the baseline.

Every firmware image Forescout analyzed carried thousands of known vulnerabilities inherited from bundled open-source components — Linux kernel, glibc, OpenSSL, BusyBox, and similar building blocks. These are not theoretical findings: approximately 89 publicly available exploits were present in the libraries embedded in these images.

Serial device server firmware is typically built once, validated against the hardware, and shipped. Updates may come once or twice a year, or not at all once a product reaches end-of-active-development. A device shipped in 2020 with Linux 4.x and OpenSSL 1.0 may still be running those versions in 2026. Each year that passes increases the inherited vulnerability count without any action (or inaction) by the operational team.

This is not unique to Lantronix and Silex. Forescout analyzed firmware from five vendors and found the same pattern universally. The serial-to-Ethernet converter market inherited the firmware monoculture problem that has afflicted embedded networking equipment for decades: ship it, forget it, and let the accumulated CVE count grow silently in the field.

Historical Context: When OT Converters Are Weaponised

BRIDGE:BREAK does not describe a theoretical threat. Serial communications infrastructure has been a confirmed target in prior real-world attacks on critical infrastructure.

In the 2015 Ukraine power grid attack, the BlackEnergy malware campaign that ultimately cut power to 230,000 customers included deliberate corruption of serial-to-Ethernet converter firmware in targeted substations. The corrupted firmware prevented remote recovery commands from reaching protection relays after the power was cut — forcing manual restoration that took hours rather than minutes. The converters were weaponised not to attack the grid directly, but to prolong the impact of the attack by blinding the response.

Forescout's research also references targeting of Polish power grid infrastructure in 2025 as a more recent example of adversary attention to OT network bridging equipment.

Both incidents illustrate why BRIDGE:BREAK matters beyond its CVE count. These are not devices whose compromise means stolen data or ransomed servers. Their compromise can extend the blast radius of physical infrastructure attacks and impede recovery.

What Defenders Must Do

Serial-to-Ethernet converters rarely appear on patching dashboards or in vulnerability management queues. Fixing that operational gap is the foundational requirement for organisations that use these devices.

1. Inventory every serial device server on your network. Use asset discovery tools capable of identifying embedded devices (Nmap, Forescout, Claroty, Dragos, or vendor-specific tools). Include all building automation, OT, and field device segments, not just IT networks.

2. Patch immediately. For Lantronix EDS5000 series, upgrade to firmware 2.2.0.0R1 or later. For EDS3000PS series, upgrade to 3.2.0.0R2 or later. For Silex SD330-AC, apply the patches released concurrent with the BRIDGE:BREAK disclosure. Verify firmware versions across your entire installed base — manual update processes mean update compliance is often incomplete.

3. Block internet access to management interfaces. No serial device server management interface should be directly reachable from the internet. Audit firewall rules for any allowed inbound traffic to TCP ports 80, 443, 22, 23, or Telnet on device subnets. If remote access is required, route it through a VPN with MFA — not a direct firewall hole.

4. Replace default credentials. Lantronix and Silex devices ship with documented default usernames and passwords. Any internet-exposed device still running factory defaults has likely been accessed by opportunistic actors. Change credentials immediately and enforce credential management for all OT devices.

5. Segment serial device server subnets. Place converters on isolated VLANs with strict access control lists that permit only necessary serial-to-IP bridging traffic and block direct inbound connections from the internet or untrusted network segments. This limits the lateral movement capability that makes converter compromise so dangerous.

6. Monitor for anomalous behavior. Serial device servers typically carry stable, predictable traffic patterns. Unusual management interface logins, unexpected outbound connections, or changes in the serial data they relay can indicate compromise. Where your security monitoring does not currently cover OT network segments, that gap is as significant as any specific vulnerability.

7. Assess devices that predate your current firmware tracking. If your organisation cannot determine when the firmware was last updated or what version is installed on every device, assume some are running versions vulnerable not only to BRIDGE:BREAK findings but to years of accumulated inherited vulnerabilities. Treat those devices as untrusted infrastructure until patched and audited.

The Structural Problem Persists

BRIDGE:BREAK is a single research project covering two vendors. The same firmware monoculture and update-neglect pattern Forescout documented in Lantronix and Silex is present across the broader serial device server market. Similar devices from Moxa, Digi International, Perle, and others serve the same deployment contexts with the same architectural profile.

CISA's KEV addition of CVE-2025-67038 confirms what Forescout's exposure data suggested: these devices are being actively targeted. The three-day federal remediation deadline signals that CISA assessed exploitation risk as high enough to warrant emergency treatment, not standard patch cycle handling.

For organisations whose operational technology networks include serial device servers — and that is most organisations with industrial, utilities, healthcare, or building automation infrastructure — BRIDGE:BREAK is a prompt to treat this device class with the same urgency that is now standard for internet-facing enterprise software. The vulnerability is old. The exploitation is confirmed. The patch exists. The only remaining variable is whether the operational team knows the device is there.