Forescout Research Vedere Labs disclosed BRIDGE:BREAK, a set of 22 vulnerabilities in serial-to-IP converters from Lantronix and Silex Technology. The bugs let an attacker hijack the converter, tamper with the serial traffic moving across it, and pivot deeper into the operational network on the other side. Forescout’s internet-wide scan put roughly 20,000 exposed devices on the public internet across industrial, utility, transportation, and healthcare environments. CISA published ICS advisory ICSA-26-069-02 covering the Lantronix side.

What the devices do (and why this is bad)

Serial-to-IP converters are the glue between decades-old serial field equipment — PLCs, RTUs, meters, medical devices, point-of-sale hardware, lab instruments — and modern IP networks. The converter sits at the edge of the OT network, terminates TCP/UDP on one side, and speaks RS-232/RS-485 on the other. Whoever controls the converter controls what the PLC thinks the network just told it, and what the SCADA system thinks the field just reported.

That’s the attack model Forescout is describing: an attacker who has already punched through a perimeter router or VPN can use BRIDGE:BREAK to own the serial bridge, then silently rewrite sensor readings heading upstream or actuator commands heading downstream. The controller and the HMI both stay happy. The physical process does not.

Scope

  • Lantronix EDS3000PS Series and EDS5000 Series — 8 CVEs.
  • Silex Technology SD330-AC — 14 CVEs.

Forescout grouped the bug classes as unauthenticated remote code execution, authentication bypass, hard-coded cryptographic keys permitting firmware tampering, default-null administrative passwords, heap and stack buffer overflows in the web management process, reflected XSS, arbitrary file upload, plaintext information disclosure, denial of service, and generic device takeover.

Remote code execution CVEs publicly called out so far include CVE-2026-32955, CVE-2026-32956, CVE-2026-32961, CVE-2025-67041, CVE-2025-67034, CVE-2025-67035, CVE-2025-67036, CVE-2025-67037, and CVE-2025-67038. The hard-coded key and default-null admin password findings are the ones that should terrify anyone running these devices anywhere an attacker can reach the management interface — they turn “compromise the bridge” into a one-shot.

Attack path

Forescout’s scenario is the one that actually plays out in incident response:

  1. Initial access through an internet-exposed edge device — an industrial router, a firewall, a jump host. This is not hypothetical; it’s how every ICS incident of the past five years started.
  2. Internal reconnaissance finds the serial-to-IP converter sitting on a management VLAN or worse, bridged flat with the PLC subnet.
  3. BRIDGE:BREAK gets the attacker a shell on the converter. Hard-coded keys or firmware tampering makes that shell persistent across reboots.
  4. From there, the converter becomes a man-in-the-middle on every serial conversation it proxies. Sensor values can be fudged. Actuator commands can be injected, dropped, or reordered. Historian data stops reflecting reality.

The 20,000 internet-exposed devices Forescout found collapse steps 1 and 2 entirely — they are step 3 waiting to happen.

What to do right now

Lantronix and Silex have both issued firmware updates for the affected product lines. In priority order:

  • Get them off the internet. Nothing about a serial-to-IP converter justifies a public IPv4. If there is a business reason the device needs to be reachable remotely, that reason is wrong; put it behind a VPN or a jump host.
  • Apply vendor firmware. Check Lantronix and Silex advisories for the specific fixed versions for your hardware revision. CISA ICSA-26-069-02 lists the Lantronix fixed firmware.
  • Rotate every credential, even if you think you already did. Default-null admin passwords and hard-coded keys mean prior config-at-rest is not trustworthy.
  • Segment. The converter should live on its own VLAN with explicit allow-lists for the HMI or historian that is supposed to talk to it — nothing else. If east-west from your corporate LAN can reach a serial bridge on the plant floor, the network design is doing the attacker’s job.
  • Hunt. Pull logs for management-plane traffic against these IP addresses in the last 90 days. Anything that isn’t your ops team is worth a closer look.

The uncomfortable part of this disclosure is that serial-to-IP converters are exactly the kind of box no one patches — they get installed once, they work, they’re invisible to IT, and the OT team is measured on uptime, not CVE counts. BRIDGE:BREAK is a good excuse to go find every one of them in your environment before someone else does.

References

  • Forescout Research Vedere Labs — BRIDGE:BREAK disclosure
  • CISA ICSA-26-069-02 — Lantronix EDS3000PS and EDS5000
  • Lantronix and Silex Technology vendor security advisories