- Critical remote code execution in Lantronix EDS5000 serial-to-IP converters, actively exploited in OT environments
ThreatNoir Afternoon Brief — June 25
Afternoon Review in IT Security — June 25, 2026
The threat landscape continues to shift toward exploitation of known vulnerabilities in critical infrastructure and enterprise systems. Today's security developments highlight a troubling pattern: flaws disclosed months or weeks prior are already being weaponized in active attacks, while patching efforts lag behind threat actor capabilities. Organizations face mounting pressure to accelerate their vulnerability response timelines.
Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning
A critical vulnerability in Lantronix Serial-to-IP converters is now being exploited in active attacks following disclosure of the flaw as part of the BRIDGE:BREAK research project in April. The vulnerability, tracked as CVE-2025-67038, represents a significant risk to operational technology environments where these devices serve as essential network infrastructure components. Source: Lantronix Serial-to-IP Converter Flaw Exploited in Attacks After OT Threat Warning
The exploitation of this flaw underscores the accelerating timeline between public disclosure and weaponization in the wild. Organizations relying on Lantronix converters for critical OT connectivity should prioritize immediate patching to prevent unauthorized access and potential disruption to industrial operations.
Why Patch Directives Only Go So Far
A recent breach case demonstrates that patch management alone cannot contain threats once an attacker has established network access. Threat actors maintained undetected access through a compromised VPN for six weeks, highlighting the critical gap between vulnerability disclosure and actual remediation in breached environments. The flaw, identified as CVE-2026-50751, was weaponized against organizations before patches could be deployed. Source: Why patch directives only go so far
This incident exposes a fundamental limitation in vulnerability management strategies that rely solely on patching. Once attackers establish persistent access, they can operate independently of the patching cycle, making detection and response capabilities equally critical to an organization's security posture.
Cisco SD-WAN Zero-Day Exploited Months Before Patching
Cisco SD-WAN systems have been targeted by a zero-day vulnerability that was exploited in the field for months before the company released patches. CVE-2026-20245 represents the seventh SD-WAN vulnerability exploited in 2026, indicating a sustained campaign against this critical networking technology. Additional related vulnerabilities include CVE-2026-20127, CVE-2026-20182, and CVE-2026-20230. Source: Cisco SD-WAN Zero-Day Exploited Months Before Patching
The extended exploitation window for this zero-day underscores the sophisticated nature of attacks targeting SD-WAN infrastructure. Organizations operating Cisco SD-WAN deployments face a heightened risk profile and should implement compensating controls and enhanced monitoring while ensuring all available patches are deployed promptly.
GitLab Patches Code Execution, Information Disclosure Vulnerabilities
GitLab has released updates addressing thirteen vulnerabilities across its Community Edition and Enterprise Edition platforms, with three vulnerabilities rated as high severity. The patched flaws include code execution and information disclosure defects tracked as CVE-2026-10086, CVE-2026-10712, and CVE-2026-12053. Source: GitLab Patches Code Execution, Information Disclosure Vulnerabilities
The presence of code execution vulnerabilities in GitLab represents a critical risk to development environments and software supply chain security. Organizations deploying GitLab should prioritize these updates to prevent potential compromise of source code repositories and development infrastructure.
Closing Summary
Today's threat intelligence reveals a consistent pattern across multiple critical systems: the window between vulnerability disclosure and active exploitation continues to narrow, while the time required for organizations to deploy patches remains dangerously wide. Security teams must shift toward more aggressive vulnerability management practices and implement detection capabilities that do not rely solely on the assumption that patches will be applied in time.
Sources & IOCs
Source articles and extracted indicators (defanged where appropriate).
- Check Point Remote Access VPN authentication bypass vulnerability
- Cisco Unified CM vulnerability.
- Previously exploited Cisco SD-WAN vulnerability.
- Previously exploited Cisco SD-WAN vulnerability.
- Cisco Catalyst SD-WAN Manager vulnerability allowing arbitrary command execution with root privileges.
- High-severity insufficient output filtering in Duo Workflows
- High-severity XSS in GitLab Web IDE workbench asset handler
- High-severity XSS flaw in GitLab EE Analytics dashboard