The Bridge Nobody Watches
A critical, pre-authentication flaw in Lantronix serial converters is now under active attack. Here is what OT and IT leaders need to know, and what to do this week.
On June 23, 2026, CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog. Three affect Ubiquiti UniFi OS. The fourth should concern anyone responsible for operational technology: CVE-2025-67038, a critical code injection flaw in the Lantronix EDS5000 serial-to-IP converter. It carries a CVSS score of 9.8, it is actively exploited, and CISA assesses it as automatable. The detail that makes it dangerous is simple: the vulnerable code runs before authentication succeeds, so an attacker does not need a valid login. If you operate substations, water systems, manufacturing lines, building systems, or hospitals, this may be a device you own and are not watching.
What a serial-to-IP converter actually is, and why you have one
Most of the physical world still speaks serial. Remote terminal units and protection relays in the power grid, programmable logic controllers on the plant floor, bedside patient monitors in the ICU, point-of-sale terminals, and fuel tank gauges at gas stations all communicate over decades-old serial standards like RS232, RS422, and RS485. A serial-to-IP converter, also called a serial device server, is the quiet box that lets that legacy equipment talk to a modern IP network for remote monitoring and management, without anyone having to rip out and replace the field gear.
The Lantronix EDS5000 is a rack-mountable example, supporting 8, 16, or 32 serial ports. It runs an embedded Linux operating system and is managed over a web interface, a command line, SSH, and SNMP. Lantronix markets the family for energy, cities, medical, industrial, retail and point-of-sale, robotics, financial, and security environments. In healthcare, for instance, Fukuda Denshi networked its ICU patient monitors using Lantronix device servers so that vital-sign data could flow in real time to a central station.
That is the role these devices play, and it is exactly why they matter. They sit on the boundary between your IT network and the physical processes that keep the lights on, the water flowing, and patients monitored. And because they are appliances rather than servers, they rarely get the patching, monitoring, and attention that the rest of the estate receives.
The flaw, in plain terms
CVE-2025-67038 lives in the EDS5000 web management interface. When a login attempt fails, the device writes a log entry, and to do that it runs a shell command on the underlying operating system. The username from the failed attempt is dropped straight into that command with no sanitization. So an attacker can submit a "username" that is not a name at all but a string of operating system commands. The login fails as expected, the device dutifully logs it, and in doing so it executes the attacker's commands as root.
This is a classic command injection, formally CWE-94, Improper Control of Generation of Code. What elevates it from serious to critical is the access required, which is none. Because the vulnerable path runs on a failed login, the attacker never needs valid credentials. That is reflected in the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), network reachable, low complexity, no privileges, no user interaction, with high impact to confidentiality, integrity, and availability. CISA's decision data tells the rest of the story: exploitation active, automatable yes, technical impact total.
It helps to see this flaw next to its close sibling from the same research, because they are easy to confuse and the difference matters.
| Attribute | CVE-2025-67038 KEV | CVE-2025-67037 |
|---|---|---|
| Where | HTTP RPC module, username field logged on failed authentication | Tunnel parameter, on tunnel termination |
| Login required | No. Pre-authentication | Yes. Authenticated, low privilege |
| CVSS | 9.8 Critical | 8.8 High |
| Weakness | Code injection (CWE-94) | Code injection (CWE-94) |
| Result | Arbitrary OS commands as root | Arbitrary OS commands as root |
| Status | Actively exploited, in CISA KEV | Not currently in KEV |
Both belong to a cluster that Forescout's Vedere Labs published in April 2026 under the name BRIDGE:BREAK, 22 vulnerabilities across Lantronix and Silex serial-to-IP converters. That research is the useful backdrop here: it showed how weak this whole device family is, and that these converters are attractive targets. The researchers also found that, on average, each firmware image they analyzed carried roughly 80 open-source components, more than 2,200 known Linux kernel vulnerabilities, and 89 publicly available exploits. CVE-2025-67038 is simply the one from that cluster that CISA has now confirmed is being exploited in the wild.
Why it matters
Root on the converter means control of the bridge, and control of the bridge means control of the data crossing it in both directions.
An attacker with code execution on the device can alter sensor readings on their way to the operator, change commands on their way to the actuator, disrupt the serial communications entirely, pivot deeper into the operational network, and install persistence that survives a reboot. This is not theoretical. In 2015, an attack against Ukraine corrupted the firmware of serial-to-IP converters and left electrical substations inoperable remotely. Substations in Denmark were targeted through exposed edge devices in 2022, and the Polish grid saw these converters targeted again in 2025. Those incidents predate this specific flaw, and they are why we treat this device class as a known target rather than a hypothetical one.
The data-tampering risk is the one we find most under-appreciated. In Forescout's lab, a serial thermometer feeding a SCADA display read a stable 24 degrees Celsius. After the converter was compromised, the same display oscillated wildly between minus 40 and plus 40, and the researchers noted the reverse is just as feasible, making a genuinely unstable signal appear calm. Now picture that manipulation applied to a patient's heart-rate feed in an ICU, or to a pressure reading on a water system. The threat is not only downtime. It is the quiet erosion of trust in the data your operators and clinicians are acting on.
When a flaw is pre-authentication, automatable, and sitting on the public internet, you are no longer defending against a targeted adversary. You are defending against a script.
How exposed are we?
A Shodan search for the Lantronix product fingerprint returns over 5,300 devices reachable on the public internet worldwide, with more than 2,100 in the United States. Over 3,600 devices expose the Lantronix discovery service on port 30718, more than 1,400 of them in the U.S. Step back to the whole category and Forescout counted nearly 20,000 serial-to-Ethernet converters exposed globally across vendors.
A fair caveat: internet exposure does not prove that every one of those devices is the vulnerable model running the vulnerable firmware. But it does tell us the attack surface is large, reachable, and concentrated in exactly the economies that run the most critical infrastructure. Many of these boxes were installed years ago by integrators and then forgotten. The honest reading is that the public counts are a floor, not a ceiling.
What to do
This is a manageable problem if you treat it with the urgency the KEV listing implies. Here is the sequence we would run, ordered by what buys you the most risk reduction fastest.
This week
- Find them. Inventory your environment for Lantronix EDS, UDS, and EDS5000 units and any serial device servers from any vendor. Use passive network discovery, your asset database, the discovery service on port 30718, and a Shodan or Censys look at your own public IP ranges.
- Get them off the internet. No management interface for one of these devices should be reachable from the public internet. Place it behind a VPN or a jump host immediately.
- Patch to the advisory. Apply the fixed firmware identified in the Lantronix security advisory and CISA ICS advisory ICSA-26-069-02. We point to the advisory rather than naming a version here on purpose, because firmware naming in this family has been inconsistent, so confirm the fixed build for your exact model against the vendor advisory.
This month
- Segment hard. Put converters on dedicated VLANs or subnets, use ACLs so only pre-approved management workstations can reach the web interface, and constrain each device to talk only to the serial equipment it serves and the IP systems that genuinely need that data.
- Fix credentials anyway. Replace default credentials and prohibit weak passwords. CVE-2025-67038 is pre-authentication, so credentials alone will not stop it, but this closes the authenticated siblings in the same cluster.
- Build detection. Monitor HTTP and HTTPS traffic to these devices for shell metacharacters such as semicolons, pipes, ampersands, dollar-parentheses, and backticks in the username and tunnel parameters. Deploy intrusion-detection rules for command-injection patterns aimed at serial device servers, centralize device logs, baseline normal management access, and alert on deviations and on unexpected outbound connections from the device itself.
As a standing practice
- Govern by exploitability. Federal agencies now operate under Binding Operational Directive 26-04, which prioritizes rapid remediation of KEV vulnerabilities on publicly exposed assets that grant total control after exploitation. You are almost certainly not bound by it, but it is a sound model: treat exploited, internet-exposed, full-takeover bugs as drop-everything work.
The deeper lesson
Serial-to-IP converters are the soft underbelly of operational technology and connected healthcare. They are hard to patch, easy to forget, and almost never instrumented. You usually cannot install an endpoint agent on one, and you frequently cannot take it offline on your own schedule. That combination, an asset you cannot fully prevent attacks against and cannot freely take down, is precisely where fast detection earns its keep.
This is the work we focus on at Deception Check. A decoy that looks like a serial device server, or a honeytoken that mimics a converter's management interface, turns an attacker's very first probe into a high-confidence alert, with no agent on the fragile device and no patch window required. When you cannot prevent quickly, you have to detect quickly. The converter you cannot patch today is the one most worth watching.
Find your Lantronix converters. Get them off the internet. Patch to the advisory. Watch the ones you cannot. The boxes that bridge old and new are now a front line.
Sources
- CISA, "CISA Adds Four Known Exploited Vulnerabilities to Catalog," June 23, 2026. https://www.cisa.gov/news-events/alerts/2026/06/23/cisa-adds-four-known-exploited-vulnerabilities-catalog
- CVE Record, CVE-2025-67038. https://www.cve.org/CVERecord?id=CVE-2025-67038
- CISA ICS Advisory ICSA-26-069-02. https://www.cisa.gov/news-events/ics-advisories/icsa-26-069-02
- Forescout Vedere Labs, "Exploiting Serial-to-Ethernet Converters in Critical Infrastructure" (BRIDGE:BREAK). https://www.forescout.com/blog/exploiting-serial-to-ethernet-converters-in-critical-infrastructure/
- The Hacker News, "22 BRIDGE:BREAK Flaws Expose Thousands of Lantronix and Silex Serial-to-IP Converters," April 2026.
- Security Affairs, "U.S. CISA adds Ubiquiti UniFi OS and Lantronix EDS5000 flaws to its KEV catalog," June 24, 2026.
- SentinelOne Vulnerability Database, CVE-2025-67037. https://www.sentinelone.com/vulnerability-database/cve-2025-67037/
- Lantronix EDS5000 Series product brief and user guide (MPB-00218 Rev D). https://www.lantronix.com/eds5000-series
- Lantronix case study, "Fukuda Denshi: Remote Access to Critical Health Information."
- Shodan, point-in-time queries product:"Lantronix" and port:30718, June 2026. https://www.shodan.io
Deception Check builds deception and early-warning capabilities for the operational technology and healthcare systems that conventional tools cannot reach. We help organizations detect attackers on the devices they cannot patch, cannot take offline, and cannot run an agent on. This briefing is provided for educational purposes and ref