Forescout Research Vedere Labs has disclosed a coordinated set of 22 vulnerabilities, collectively named BRIDGE:BREAK, affecting widely deployed serial-to-IP converters manufactured by Lantronix and Silex Technology. The research identified approximately 20,000 affected devices reachable from the public internet across industrial, utility, transportation, and healthcare networks. Eight of the flaws impact Lantronix EDS3000PS and EDS5000 device servers, and fourteen impact the Silex SD-330AC wireless bridge and the companion AMC Manager administration software.
The vulnerabilities span the full range of high-impact weakness classes for network-edge appliances, including unauthenticated remote code execution, authentication bypass, hard-coded cryptographic keys that permit firmware tampering, default-null administrative passwords, heap and stack buffer overflows in web management processing, reflected cross-site scripting, arbitrary file upload, and plaintext information disclosure. Several flaws are reachable without credentials over the network management interface, and the most severe carry CVSS v3.1 scores of 9.8. Serial-to-IP converters sit as transparent bridges between legacy serial field devices — PLCs, medical instruments, building automation panels, meters, and sensors — and modern IP networks, which gives a compromised device simultaneous access to both the routed corporate or OT network and the raw serial channel carrying operational data.
At the time of disclosure, Forescout and the affected vendors report no observed exploitation in the wild, and the disclosures were handled through coordinated vulnerability disclosure with the U.S. Cybersecurity and Infrastructure Security Agency. However, the combination of high exposure counts, trivially exploitable pre-authentication flaws, and the sensitive downstream populations these converters serve — including hospital biomedical endpoints, municipal water controls, and power substation RTUs — elevates the near-term risk of opportunistic scanning and mass exploitation once proof-of-concept code becomes public. Operators of affected models should treat patching as an immediate-priority activity.
CVE-2025-67041, with a CVSS v3.1 score of 9.8, is an unauthenticated operating-system command injection in the TFTP client of the Lantronix EDS3000PS Filesystem Browser web page. The host parameter is insufficiently sanitized, allowing an attacker to break out of the intended command and execute arbitrary commands with root privileges on the device. A second critical flaw in the same Lantronix platform, CVE-2025-70082, also carries a CVSS v3.1 score of 9.8 and allows remote attackers to execute arbitrary code and extract sensitive information through the ltrx_evo component. Together these two issues provide complete pre-authentication takeover of EDS3000PS firmware 3.1.0.0R2.
CVE-2025-67039, with a CVSS v3.1 score of 9.1, is an authentication-bypass in the EDS3000PS management interface. By appending a specific suffix to the URL and submitting an Authorization header containing the username admin, an attacker can access protected management pages without any valid credential. Combined with the two command-injection vulnerabilities above, an unauthenticated network-adjacent attacker can chain the flaws to achieve persistent, root-level control of the converter. The Lantronix EDS5000 series is impacted by a corresponding cluster of five additional vulnerabilities covering similar authentication and command-injection weaknesses, all of which are addressed in the same vendor firmware release cycle.
CVE-2026-32956, with a CVSS v3.1 score of 9.8, is an unauthenticated heap-based buffer overflow in the Silex SD-330AC and AMC Manager web interface triggered during processing of the login redirect URL. Memory corruption in this code path is reachable without credentials and yields remote code execution. A related stack-based overflow reachable to authenticated users, CVE-2026-32955, carries a CVSS v3.1 score of 8.8 and similarly allows arbitrary code execution on the device. These memory-corruption flaws are the primary device-takeover primitives in the Silex portion of the disclosure.
CVE-2026-32965, with a CVSS v3.1 score of 7.5, captures an insecure-default condition in which Silex SD-330AC units ship with no administrative password enforced, permitting a first-connecting attacker to set the password and take exclusive ownership of the device. CVE-2026-32960, with a CVSS v3.1 score of 6.5 and a CVSS v4.0 score of 7.1, allows an attacker to log in as an existing administrator without knowing the password by sending a crafted packet that reuses sensitive data retained in memory from prior sessions. CVE-2026-32958, with a CVSS v3.1 score of 6.5, stems from use of a hard-coded cryptographic signing key that permits an attacker to trick an administrative user into applying a tampered firmware image, undermining the device integrity guarantees that secure firmware update mechanisms are meant to provide.
The remaining Silex findings cover reflected cross-site scripting on the system status page, unauthenticated reboot and configuration-injection primitives, arbitrary file upload to temporary storage, weak stream-cipher keystream reuse enabling confidentiality loss on man-in-the-middle paths, and a legacy SNMP agent denial-of-service condition. No individual issue in this group exceeds a CVSS v3.1 score of 7.0, but several are unauthenticated and contribute directly to the chain primitives described above, and all are remediated in the same firmware release.
Serial-to-IP converters are deliberately invisible appliances: they are chosen specifically for their transparency to legacy serial applications, rarely appear in asset inventories, and are frequently installed by integrators or OEM equipment vendors rather than IT. A compromised converter gives an attacker a stealthy pivot into the OT network and, because the device mediates the serial channel itself, the ability to selectively alter sensor values, replay historian traffic, or inject unauthorized commands toward a PLC or medical device without the downstream endpoint detecting the tampering. For hospitals, this includes patient-monitoring data, biomedical analyzers, and building management systems; for industrial and utility operators, it includes substation RTUs, water SCADA, gas and liquids flow computers, and environmental controls.
From a compliance perspective, the hard-coded signing key, default-null-password, and plaintext-disclosure findings create direct exposure under HIPAA Security Rule access-control and integrity requirements (45 CFR 164.312), NERC CIP-007 system security management, NERC CIP-010 configuration change management, IEC 62443-3-3 system requirements SR 1.1 through SR 1.5 for identification and authentication controls, and the authentication and integrity sections of the FDA premarket cybersecurity guidance for medical devices. Affected organizations operating in regulated environments should document the presence of these devices, the remediation timeline, and any compensating controls in their security incident and audit records before the next scheduled assessment.
1898 & Co. recommends the following actions prioritized for operational technology and healthcare environments running affected Lantronix or Silex serial-to-IP converters:
1. Upgrade Lantronix EDS3000PS devices to firmware version 3.2.0.0R2 and EDS5000 devices to firmware version 2.2.0.0R1 without delay; upgrade Silex SD-330AC units to firmware version 1.50 or later and the AMC Manager to version 5.1.0 or later, using vendor-signed images sourced directly from the manufacturer support portals.
2. Remove all direct internet exposure of serial-to-IP converter management interfaces; place every affected device behind a network segmentation boundary such that the web, Telnet, and SNMP management services are reachable only from dedicated administrative VLANs or jump hosts, and restrict serial data services to the specific upstream hosts that legitimately consume them.
3. Replace default credentials and enforce unique administrative passwords on every unit; for Silex SD-330AC deployments, audit every device to confirm that a non-null administrator password has been configured, since the factory default allows any first-connecting attacker to claim ownership of the device.
4. Perform a targeted inventory sweep to identify all serial-to-IP converters deployed across OT, healthcare biomedical, facilities, and remote-site environments, including converters installed by OEM vendors alongside field equipment; use the resulting inventory to drive patch tracking and to measure residual exposure until remediation is complete.
5. Configure continuous monitoring and alerting for anomalous access to converter management interfaces, unexpected firmware update events, TFTP activity originating from the devices, and changes to device configuration baselines; pair network-layer monitoring with periodic out-of-band configuration integrity checks to detect tampering that would be invisible to the downstream serial endpoint.
Implementing these actions in the sequence above materially reduces the attack surface and closes the pre-authentication remote code execution and authentication-bypass chains described in this advisory.
1898 & Co. maintains deep operational technology and industrial control system expertise spanning the asset owners most affected by this disclosure, including electric utilities, water and wastewater operators, oil and gas midstream and pipeline operators, critical manufacturing environments, and healthcare providers where biomedical and building automation networks rely on serial-to-IP bridging. Our consultants routinely work with clients to identify edge appliances that do not appear in traditional IT asset databases and to apply defense-in-depth network architectures that contain the blast radius of a compromised converter.
Our managed detection and threat hunting services provide coverage tuned for OT protocols and edge-device behavior, including baseline monitoring of management traffic to serial-to-IP bridges, detection of anomalous TFTP and firmware-transfer activity, and alerting on configuration changes that could indicate device takeover. We integrate intelligence from CISA Known Exploited Vulnerabilities updates and vendor ProductCERT feeds into our hunt workflows so that newly weaponized campaigns against BRIDGE:BREAK-class devices are surfaced and triaged against the specific client estate rather than treated as generic alerts.
Clients working with 1898 & Co. on incident preparedness, secure architecture review, and ICS vulnerability management can engage our team directly to scope an exposure assessment, validate patch deployment, and update network segmentation and monitoring baselines to address the issues disclosed here. For organizations that have not previously inventoried serial-to-IP bridges at scale, our advisory team can coordinate discovery, risk scoring, and a phased remediation plan aligned to operational outage constraints typical of OT and healthcare environments.
1. CISA ICS Advisory ICSA-26-069-02 — Lantronix EDS3000PS and EDS5000
2. CISA ICS Advisory ICSA-26-111-10 — Silex Technology SD-330AC and AMC Manager
3. Silex Technology Security Advisory 2026-001 — SD-330AC and AMC Manager Multiple Vulnerabilities
4. Lantronix Latest Firmware for the EDS3000PS Series
5. Lantronix Latest Firmware for the EDS5000 Series
10. NVD Entry — CVE-2026-32956
11. NVD Entry — CVE-2026-32958