- What: CVE-2025-67038, an unauthenticated OS command injection in Lantronix EDS5000 serial-to-IP device servers (commands injected through the username parameter run as root), was added to CISA's Known Exploited Vulnerabilities catalog on June 23, 2026.
- Impact: Full root control of the box that bridges OT and ICS serial equipment to the IP network: lateral movement, command-and-control, data exfiltration, operational disruption, and manipulation of sensor readings (demonstrated by researchers in industrial and healthcare settings).
- Fix / mitigation: Apply Lantronix's patches (released April 2026), get these devices off the public internet, and segment OT networks. Federal compliance deadline was June 26, 2026.
- Who's at risk: Operators of OT/ICS in critical infrastructure and healthcare running Lantronix serial-to-IP servers. ZoomEye found thousands internet-exposed, primarily in the United States.
The most dangerous devices on an OT network are rarely the flashy ones. They are the small, forgotten boxes that have done one quiet job for fifteen years. A serial-to-IP converter is exactly that: a little device server that takes a decades-old serial connection from industrial equipment, a PLC, a sensor, a medical device, and puts it on the IP network so it can be reached remotely. CVE-2025-67038 turns one of the most common of these, the Lantronix EDS5000, into a remote root foothold.
The flaw is an unauthenticated OS command injection: an attacker sends crafted input in the username parameter, and the device executes it as commands with root privileges. No credentials, no second step. CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog on June 23, 2026, with a federal remediation deadline of June 26.
This was found by hunters, and exploited by hunters
CVE-2025-67038 came out of BRIDGE:BREAK, a research project from Forescout that disclosed 20 serial-to-IP vulnerabilities across Lantronix and Silex products in April 2026. The researchers did not just find bugs; they demonstrated manipulating sensor readings in industrial and healthcare environments, the kind of tampering that does not trip a security alert but quietly corrupts the data an operator trusts.
Forescout observed exploitation in a honeypot on April 5, 2026, after Lantronix shipped patches but before technical details were public. The traffic combined automated command-injection testing with Lantronix-specific fingerprinting, and the researchers noted it "was not consistent with a typical botnet or broad vulnerability scanner." Translation: someone knew exactly what they were looking for.
Why root on a converter is a serious problem
This device sits at the boundary between the network and physical equipment, and that position is the whole point of attacking it. Root on the converter gives an attacker full device control, and from there: a quiet foothold for lateral movement deeper into the OT network, a command-and-control channel that lives on a device nobody monitors, a data-exfiltration path, and the ability to disrupt operations by changing the device configuration or planting malware.
These boxes are the soft underbelly of OT for three reasons that all stack on each other: they have no native endpoint detection, they run for years without firmware updates, and far too many of them are reachable directly from the internet. ZoomEye counted thousands of exposed Lantronix systems, the majority in the United States.
CVE-2025-67038 is tracked in the RedEye CVE Index, and unauthenticated command injection against an exposed device server is a clean detection signal: anomalous requests to the management interface and outbound connections from a device that should only ever talk to its serial peer. Those are exactly the events the RedEye Intel Feed ships, so an exploitation attempt against a serial-to-IP box becomes a fired alert instead of an invisible foothold.
What defenders should do now
- Patch the EDS5000, and inventory the rest. Apply Lantronix's April 2026 fixes. Then find every serial-to-IP and device-server product you run (Lantronix, Silex, and similar), because BRIDGE:BREAK was a class of bugs, not a single one.
- Get them off the public internet. A serial-to-IP converter has no business being internet-reachable. Put it behind a VPN or jump host and restrict management access to known internal hosts.
- Segment and watch the boundary. These devices should talk to a tiny, predictable set of peers. Alert on anything else: new outbound connections, management-interface access from unexpected sources, configuration changes.
- Treat exposed-and-unpatched as compromised. Given confirmed, targeted exploitation, any internet-facing EDS5000 that was unpatched should be triaged as a potential incident, not just a patch ticket.
Do you know where your serial-to-IP devices are?
RedEye Security helps OT and critical-infrastructure operators find their exposed device servers, ship detections for active campaigns, and turn KEV-listed CVEs into alerts instead of incidents.
Talk to usSource: SecurityWeek, "Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning", reporting on Forescout's BRIDGE:BREAK research and CISA's KEV addition.