Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning

Summary

A critical vulnerability (CVE-2025-67038) in Lantronix EDS5000 serial-to-IP device servers is being actively exploited in the wild, enabling unauthenticated attackers to execute arbitrary OS commands with root privileges. The flaw was disclosed in April as part of the BRIDGE:BREAK research project affecting 20 serial-to-IP product vulnerabilities. CISA added it to its Known Exploited Vulnerabilities catalog on June 23, directing federal agencies to patch by June 26, with potential lateral movement and data exfiltration risks.

Full text

A vulnerability that can facilitate attacks on operational technology (OT) systems is being exploited in the wild, according to the cybersecurity agency CISA. The vulnerability is tracked as CVE-2025-67038 and it affects Lantronix EDS5000 serial-to-IP device servers, which enable organizations to remotely connect to and manage their serial devices. The flaw can be exploited by an unauthenticated attacker to inject arbitrary OS commands into a username parameter, which leads to the execution of the commands with root privileges. SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition CVE-2025-67038 was one of the 20 serial-to-IP product vulnerabilities disclosed by cybersecurity firm Forescout in April. Collectively tracked as BRIDGE:BREAK, the vulnerabilities impact Lantronix and Silex products, and researchers demonstrated how they can be exploited to manipulate sensor readings in industrial and healthcare environments to conceal dangerous conditions that would normally require human intervention, or to cause disruption in a healthcare environment using malicious firmware.Advertisement. Scroll to continue reading. CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities (KEV) catalog on June 23, instructing federal agencies to address it by June 26. However, there do not appear to be any public reports describing the attacks exploiting the Lantronix product vulnerability. It’s unclear if the attacks are aimed at industrial, healthcare, or other OT environments. Cybersecurity firm Aviatrix has described a potential attack scenario involving CVE-2025-67038. Once the attacker exploits the vulnerability to execute code with root privileges, they can gain full control of the device. “The compromised device serves as a foothold for the attacker to move laterally within the network, targeting other connected systems. The attacker establishes a command and control channel to remotely manage the compromised device and issue further commands,” Aviatrix explained in an advisory. It added, “Sensitive data is exfiltrated from the network through the compromised device. The attacker disrupts network operations by modifying configurations or deploying malware, causing significant impact to the organization’s infrastructure.” ZoomEye shows thousands of internet-exposed Lantronix systems — a majority in the United States — but these include all Lantronix products and it’s unclear how many of them are vulnerable to attacks. Lantronix has not responded to SecurityWeek’s request for comment regarding in-the-wild exploitation. Related: Critical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data Centers Related: Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software Related: Dragos Unveils AI for OT Security Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Eduard Kovacs macOS Weaknesses Chained to Silently Disable Endpoint Security AgentsThird DraftKings Hacker Sentenced to 18 Months in PrisonHackers Exploiting Cisco Unified CM VulnerabilityDragos Unveils AI for OT Security Algerian Man Extradited to US for Running Cybercrime MarketplacesTrump Signs Executive Order Accelerating Post-Quantum Cryptography Migration Xsolis Data Breach Affects 1.4 Million IndividualsDecades-Old Squid Proxy Flaw ‘Squidbleed’ Can Expose User Data Latest News GitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCisco SD-WAN Zero-Day Exploited Months Before PatchingWhen Information Becomes the Attack Surface – Understanding AI Agent TrapsMicrosoft and Allies Smash Shared Infrastructure of Amadey and StealC MalwareExclusive: Meet AIVEX, a New Triage Model Built to Reduce Supply Chain Threat and Risk Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: How Modern Breaches Bypass MFA and Evade Detection June 17, 2026 Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes. Register Webinar: Modern Exposure Validation in the AI Era June 24, 2026 AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program. Register People on the MoveFable Security has appointed Jacob Berry as Chief Information Security Officer.iCOUNTER has named Ali Waezzadah as Chief Information Security Officer.Roger Hale has joined 1Kosmos as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-67038

Entities