A vulnerability that can facilitate attacks on operational technology (OT) systems is being exploited in the wild, according to the cybersecurity agency CISA.
The vulnerability is tracked as CVE-2025-67038 and it affects Lantronix EDS5000 serial-to-IP device servers, which enable organizations to remotely connect to and manage their serial devices.
The flaw can be exploited by an unauthenticated attacker to inject arbitrary OS commands into a username parameter, which leads to the execution of the commands with root privileges.
SecurityWeek ICS Cybersecurity Conference Heads to Nashville for Special 25-Year Anniversary Edition
CVE-2025-67038 was one of the 20 serial-to-IP product vulnerabilities disclosed by cybersecurity firm Forescout in April.
Collectively tracked as BRIDGE:BREAK, the vulnerabilities impact Lantronix and Silex products, and researchers demonstrated how they can be exploited to manipulate sensor readings in industrial and healthcare environments to conceal dangerous conditions that would normally require human intervention, or to cause disruption in a healthcare environment using malicious firmware.
CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities (KEV) catalog on June 23, instructing federal agencies to address it by June 26.
However, there do not appear to be any public reports describing the attacks exploiting the Lantronix product vulnerability. It’s unclear if the attacks are aimed at industrial, healthcare, or other OT environments.
Cybersecurity firm Aviatrix has described a potential attack scenario involving CVE-2025-67038. Once the attacker exploits the vulnerability to execute code with root privileges, they can gain full control of the device.
“The compromised device serves as a foothold for the attacker to move laterally within the network, targeting other connected systems. The attacker establishes a command and control channel to remotely manage the compromised device and issue further commands,” Aviatrix explained in an advisory.
It added, “Sensitive data is exfiltrated from the network through the compromised device. The attacker disrupts network operations by modifying configurations or deploying malware, causing significant impact to the organization’s infrastructure.”
ZoomEye shows thousands of internet-exposed Lantronix systems — a majority in the United States — but these include all Lantronix products and it’s unclear how many of them are vulnerable to attacks.
Lantronix has not responded to SecurityWeek’s request for comment regarding in-the-wild exploitation.
UPDATE: Forescout published a blog post on Thursday with additional details on the exploitation of the vulnerability. Researchers observed exploitation of CVE-2025-67038 in a Lantronix EDS5000 honeypot on April 5, after Lantronix released a patch, but before Forescout published BRIDGE:BREAK technical details, which suggests the attackers may have reverse-engineered the patch to develop an exploit.
The activity included automated command injection testing and Lantronix-specific fingerprinting, suggesting the attackers knew what they were targeting.
Researchers found the activity was not consistent with a typical botnet or broad vulnerability scanner.
Related: Critical HVAC and UPS Vulnerabilities Could Let Hackers Disrupt Data Centers
Related: Rockwell Automation Patches Vulnerabilities in ICS Controllers and Software
Related: Dragos Unveils AI for OT Security
https://www.securityweek.com/lantronix-serial-to-ip-converter-flaw-exploited-in-attacks-after-ot-threat-warning/
