Back to all lessons
Awareness Lessons
last week

Critical OT Device Flaw Exploited in the Wild Weeks After Disclosure

A critical unauthenticated remote code execution vulnerability in Lantronix EDS5000 serial-to-IP converters (CVE-2025-67038) is being actively exploited, granting attackers root-level OS command execution without any credentials. The flaw was publicly disclosed in April 2025 as part of the BRIDGE:BREAK research initiative, yet organizations failed to patch within the disclosure window before active exploitation began. Serial-to-IP converters are particularly dangerous targets because they bridge legacy OT/serial environments to IP networks, meaning a compromise can enable lateral movement into otherwise air-gapped industrial systems. CISA's tight 3-day patching deadline for federal agencies underscores the severity — a window that many organizations struggle to meet without mature vulnerability management programs. This incident highlights how OT-adjacent network devices are increasingly targeted precisely because they are overlooked in standard patch cycles.

Tactical Insight

Immediate actions

  • Apply the vendor-supplied patch or upgrade EDS5000 firmware immediately, prioritizing any internet-facing or OT-adjacent devices.
  • Isolate affected Lantronix devices behind a firewall or restrict access to trusted management IPs only until patching is complete.
  • Search CISA's KEV catalog and cross-reference it against your asset inventory to identify any other unpatched high-priority vulnerabilities.

Long-term improvements

  • Maintain a comprehensive, continuously updated inventory of all OT and network appliance assets, including serial-to-IP converters, protocol gateways, and edge devices.
  • Establish emergency patching SLAs (e.g., ≤72 hours for CVSS 9.0+ CVEs on internet-facing systems) backed by tested runbooks.
  • Implement network segmentation that places OT-bridging devices in a dedicated DMZ, preventing lateral movement from a compromised converter into core OT or IT networks.

Detection measures

  • Deploy network-based intrusion detection (IDS/IPS) rules tuned to detect unexpected command execution or anomalous traffic originating from serial-to-IP devices.
  • Enable centralized logging for all management-plane activity on OT network devices and alert on any unauthenticated or privilege-escalation events.
  • Subscribe to CISA KEV RSS feeds and vendor security advisories to receive near-real-time notification of actively exploited vulnerabilities in your asset classes.