BRIDGE:BREAK — 20 New Vulnerabilities in Lantronix and Silex Serial-to-IP Converters Threaten OT and Hospital Networks

Introduction

Forescout's Vedere Labs has disclosed 20 new vulnerabilities in serial-to-IP converters from Lantronix and Silex Technology, collectively tracked as BRIDGE:BREAK. The bugs affect devices that quietly sit between legacy serial equipment and modern IP networks in factories, substations, and hospitals — and several of them carry CVSS 9.8 remote code execution scores. Patches are available from both vendors, but these devices are notoriously under-monitored and rarely updated.

What Happened

Serial-to-IP converters are small, unassuming boxes with a huge amount of trust. They bridge protocols like Modbus, DNP3, and medical HL7 from legacy serial interfaces into Ethernet networks. Once deployed, they tend to be forgotten — running default credentials and outdated firmware for years.

The research focused on three product families:

• Lantronix EDS3000PS — 3 vulnerabilities
• Lantronix EDS5000PS — 5 vulnerabilities, including RCE flaws scored CVSS 9.8
• Silex SD330-AC — 12 vulnerabilities

Eight of the 20 issues were found in Lantronix devices and twelve in Silex devices. Collectively they enable:

• Unauthenticated remote code execution
• OS command injection via web management interfaces
• Firmware tampering that persists through reboots
• Denial-of-service crashing critical links
• Full device takeover for pivoting further into OT networks

Beyond the 20 new CVEs, Forescout's scan of the underlying firmware stacks surfaced thousands of pre-existing unpatched vulnerabilities in the Linux kernel, busybox, and embedded libraries shipped with these devices — many of which have had public exploits for years.

CISA published advisory ICSA-26-069-02 covering the Lantronix side, and Silex has its own advisory 2026-001 for the SD330-AC.

Why It Matters

Converters like these are the glue between the IT and OT worlds. A compromised EDS5000PS in a factory can let an attacker send arbitrary Modbus commands to a PLC controlling physical machinery. The same device in a hospital could interpose on HL7 traffic between a bedside monitor and the EHR, manipulating patient data or disrupting alarms. Because the boxes are small, cheap, and forgotten, they are often the softest targets on an otherwise hardened network.

The Forescout team also noted that many of these devices are directly internet-facing — Shodan scans routinely turn up exposed management interfaces with default credentials in front of substation automation gear and medical device aggregators.

Who Is Affected

• Manufacturing plants using Lantronix EDS3000PS or EDS5000PS to bridge legacy PLCs and sensors
• Electric utilities using these converters in substation automation for legacy relays
• Hospitals and medical facilities using Silex SD330-AC to connect legacy serial medical devices to the LAN
• Any industrial or healthcare environment with outdated serial-to-IP converters and no asset inventory of them

How to Protect Yourself

Patch the devices. Download firmware from the vendor directly — never from third-party mirrors.

• Lantronix advisory and firmware: lantronix.com/support
• Silex advisory 2026-001: silexamerica.com/support
• CISA advisory ICSA-26-069-02: cisa.gov/news-events/ics-advisories

Find them on your network. Serial-to-IP converters are often absent from the asset inventory. Hunt for them with active scanning on common management ports:

nmap -p 80,443,23,9999,30718 --script=banner -oN serial-converters.txt <OT_SUBNET>

Port 30718 is Lantronix's Device Discovery protocol. Query it directly:

echo -n -e '\x00\x00\x00\xf6' | nc -u -w2 <DEVICE_IP> 30718

For Silex devices, check TCP/80 for the SX-AP web UI signature:

curl -s -o /dev/null -w "%{http_code}\n" http://<DEVICE_IP>/

Remove default credentials. Every deployed device should have its admin password rotated off the factory default. Document the new credentials in your password vault.

Segment ruthlessly. Serial-to-IP converters should live on their own management VLAN with no direct route to IT or the internet. At the firewall:

iptables -A FORWARD -s <IT_SUBNET> -d <SERIAL_CONVERTER_VLAN> -j DROP
iptables -A FORWARD -s <SERIAL_CONVERTER_VLAN> -d 0.0.0.0/0 -j DROP
iptables -A FORWARD -s <MGMT_SUBNET> -d <SERIAL_CONVERTER_VLAN> -p tcp --dport 443 -j ACCEPT

Check your external exposure. Use Shodan or Censys to confirm none of your devices are reachable from the public internet:

shodan search 'Lantronix' net:<YOUR_CIDR>
shodan search 'Silex' net:<YOUR_CIDR>

Baseline device behavior. Capture the normal traffic profile of each converter with a short span session, then alert on deviations — new destination IPs, unusual payload sizes, or unexpected firmware checksums can all indicate tampering.

Source

• SecurityWeek — Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking
• Dark Reading — Serial-to-IP Devices Hide Thousands of Old and New Bugs
• Forescout Vedere Labs — BRIDGE:BREAK Research