New research from Forescout Technologies uncovers 22 previously unknown vulnerabilities in serial-to-IP converters, with thousands of exposed devices identified online. Detailed in the ‘BRIDGE:BREAK’ report, the flaws affect widely deployed products from Lantronix and Silex Technology, creating pathways for operational disruption, lateral movement, and data tampering.
The findings underscore a persistent challenge in post-Mythos environments, since understanding risk in OT (operational technology) environments still depends on visibility into how devices behave, communicate, and fail in real-world conditions. The report shows how these vulnerabilities could be exploited to compromise integrity of data flows between industrial systems and the networks that monitor and manage them.
“Serial-to-IP converters sit directly in the path between operators and physical processes, yet they often fall outside traditional security monitoring,” Daniel dos Santos, vice president of research at Forescout, said in a Tuesday media statement. “AI will undoubtedly accelerate vulnerability discovery across a wide range of technologies, but vulnerabilities are not everything. Identifying the most consequential risks, especially in operational environments, still requires insight into how devices behave, communicate, and fail in context.”
He added that when defenders lack complete asset visibility and a clear view of east-west communication patterns, attackers gain opportunities to disrupt operations, pivot across networks, or manipulate data in ways that undermine trust. “Our BRIDGE:BREAK research underscores why these bridge devices deserve the same security scrutiny as other critical infrastructure systems.”
The BRIDGE:BREAK research shows that flaws in Lantronix and Silex products could enable remote code execution, authentication bypass, firmware tampering, denial-of-service attacks, and data manipulation, allowing adversaries to disrupt operations, pivot across networks, or alter communications between monitoring systems and physical processes. By demonstrating how attackers could tamper with sensor readings or interfere with control commands, the report underscores how these ‘in-path’ devices, commonly used across utilities, manufacturing, healthcare, and telecommunications, expand the attack surface in OT environments, particularly when they fall outside traditional security visibility and lack adequate controls.
Serial-to-IP converters are niche but critical devices that bridge legacy serial equipment to modern TCP/IP networks. These devices are widely used in hospitals, factories, and electrical substations to connect medical devices, PLCs (programmable logic controllers), sensors, and ICS (industrial control systems). They allow traditional serial equipment to communicate over modern IP networks for remote monitoring and management.
While these converters are typically not intended to be exposed to the internet, attackers may still reach them through several initial access vectors. In Poland, initial access was reportedly achieved via internet-facing VPN (virtual private network) concentrators. In other environments, access could be gained through compromised IT workstations or via deep lateral movement in OT networks.
Despite their mundane appearance, these devices carry serious security implications. They’ve been targeted in major infrastructure attacks, most notably in Ukraine in 2015, where corrupted firmware on serial-to-IP converters took electrical substations offline, and again in the Polish power grid in 2025. As attacks on critical infrastructure have grown more frequent, this report examines the current security posture of these often-overlooked devices.
The BRIDGE:BREAK research analyzed firmware from five major vendors of serial-to-IP converters and found that, on average, each firmware image contained 80 identified open-source software components, 2,255 known vulnerabilities affecting the Linux kernel and 212 known vulnerabilities affecting other open-source components, and 89 publicly available exploits.
The researchers manually analyzed three devices to identify new vulnerabilities, including the Lantronix EDS3000PS Series, a compact office-grade multi-serial-port server with 8 to 16 ports, the Lantronix EDS5000 Series, which supports 8, 16, or 32 serial ports in a rack-mount configuration, and the Silex SD-330AC, a small device designed to connect RS-232C serial equipment over wireless or Ethernet networks.
They identified eight new vulnerabilities affecting products from Lantronix and twelve affecting devices from Silex Technology. They also confirmed that two known n-day vulnerabilities, CVE-2015-5621 and CVE-2024-24487, impact Silex products. At a high level, the vulnerabilities enable remote code execution through operating system command injection and memory corruption, including buffer overflows. They also allow device takeover through authentication weaknesses and open the door to firmware tampering due to the use of a hardcoded signing key.
Additional risks include denial-of-service conditions, arbitrary file uploads, authentication bypass, and information disclosure, including exposure of passwords and cryptographic keys due to weak encryption.
The BRIDGE:BREAK report identified that attackers can achieve at least three types of impact when targeting serial-to-IP converters. These include denial-of-service, which remains a proven tactic. Incidents in 2015 and 2025 showed how adversaries can disrupt serial communications with field devices using different methods, from firmware corruption to forcing unreachable IP configurations. The report demonstrates that firmware vulnerabilities can also be used to trigger time-based denial-of-service conditions, allowing attackers to coordinate disruptions with other malicious actions.
The research also highlights the risk of lateral movement. Earlier work showed how attackers can move across non-routable OT network boundaries by exploiting controller-level devices. In this case, the focus shifts to serial-to-IP converters as another pathway for crossing segmented environments and extending an intrusion deeper into operational systems.
Equally concerning is the potential for sensor and actuator data tampering. Attackers could manipulate serial data as it transitions into IP networks, altering readings such as temperature, pressure, humidity, flow rates, or even patient heart rate data. In the opposite direction, commands sent from IP networks to serial-connected devices could be modified before reaching actuators, enabling changes to physical processes such as the speed or direction of a servo motor.
Forescout noted that a well-known precedent is Stuxnet, which altered operator visibility while covertly manipulating industrial processes. Although Stuxnet targeted PLCs, similar “manipulation of view” outcomes could be achieved in some environments through compromised serial-to-IP converters, aligning with the MITRE ATT&CK for ICS technique T0832, where adversaries distort what operators see to influence decisions and outcomes.
The BRIDGE:BREAK research added that once a converter is compromised, attackers can tamper with serial communication in both directions. Also, serial protocols often lack authentication or encryption. As a result, attackers may be able to influence devices and processes that rely on that serial link.
In conclusion, the research highlights weaknesses in serial-to-IP converters and the risks they can introduce in critical environments. As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement.
Based on the new vulnerabilities and attack scenarios that the BRIDGE:BREAK research demonstrated and supported by prior attack evidence and availability of deployment information, Forescout recommends patching vulnerable devices as soon as possible. Lantronix has released two firmware updates that address the issues: 2.2.0.0R1 for the EDS5000 series and 3.2.0.0R2 for the EDS3000 series, while Silex has also released updates to address the issues.
Beyond patching, organizations should replace default credentials and eliminate weak passwords to reduce the risk of exploitation through authenticated vulnerabilities. Network segmentation is also critical to prevent threat actors from reaching vulnerable serial-to-IP converters or using them as a pivot to compromise other critical assets.
These devices should not be exposed to the internet under any circumstances. Access to management interfaces, such as web-based consoles, must be tightly controlled so that only preapproved management workstations can connect. Organizations should also place these devices within dedicated subnetworks or VLANs, limiting communication strictly to the serial devices they manage and the IP-side systems that require access to that data.
Continuous monitoring is essential. Teams should watch for signs of exploitation targeting serial-to-IP converters and for unusual communication patterns that may indicate attempts to intercept, manipulate, or misuse data flowing across the serial link.
Forescout also outlined a set of recommendations for vendors aimed at reducing systemic risk in serial-to-IP converters and similar embedded devices. It calls for a secure-by-design approach that treats security as a core business requirement, supported by a secure development lifecycle that embeds security controls at every stage of software development.
Vendors are urged to use Linux kernel versions that are as current as practical and supported over a long lifecycle, while maintaining a clear inventory of all software components included in firmware so that known vulnerabilities can be tracked and patched. The report also stresses the importance of binary hardening techniques to raise the bar for exploitation.
Regular security testing is another priority, particularly for commonly targeted interfaces such as web-based management consoles, to ensure vulnerabilities are identified before products are released. In parallel, vendors should rely on well-vetted protocols and implement robust signing and encryption mechanisms, with a specific emphasis on using asymmetric cryptography for firmware signing and verification. Finally, the report suggests that vendors take a more proactive role in identifying devices exposed to the internet and notifying customers of these misconfigurations before they can be exploited.
