Executive Summary
In April 2026, Forescout Technologies identified 22 new vulnerabilities in serial-to-IP converters from Lantronix and Silex, devices integral to connecting legacy industrial equipment to modern networks. These vulnerabilities, including remote code execution and authentication bypass, could allow attackers to disrupt operations, move laterally across networks, and tamper with sensitive data. Notably, tens of thousands of these devices are exposed online, increasing the risk to critical infrastructure sectors such as utilities, manufacturing, and healthcare.
This discovery underscores the persistent security challenges in operational technology environments, particularly concerning devices that bridge legacy systems with modern networks. The prevalence of outdated components and inadequate security measures in these converters highlights the urgent need for organizations to assess and fortify their OT security postures to prevent potential exploitation.
Why This Matters Now
The identification of these vulnerabilities in widely used serial-to-IP converters highlights an immediate risk to critical infrastructure sectors. With tens of thousands of devices exposed online, attackers have a broad attack surface to exploit, potentially leading to significant operational disruptions. Organizations must prioritize securing these devices to mitigate the heightened threat landscape.
Attack Path Analysis
An attacker exploited a heap-based buffer overflow vulnerability in the Silex SD-330AC device to gain unauthorized access. They then escalated privileges by exploiting hard-coded cryptographic keys to apply a malicious firmware update. Utilizing the compromised device, the attacker moved laterally within the network to access other critical systems. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated through the compromised devices. Finally, the attacker disrupted operations by modifying device configurations and causing system outages.
Kill Chain Progression
Initial Compromise
Description
Exploited a heap-based buffer overflow vulnerability in the Silex SD-330AC device to gain unauthorized access.
Related CVEs
CVE-2025-67038
CVSS 9.8An unauthenticated OS command injection vulnerability in Lantronix EDS5000 allows remote attackers to execute arbitrary commands with root privileges.
Affected Products:
Lantronix EDS5000 – 2.1.0.0R3
Exploit Status:
proof of conceptCVE-2026-32956
CVSS 9.8A heap-based buffer overflow in Silex SD-330AC and AMC Manager allows remote attackers to execute arbitrary code on the device.
Affected Products:
Silex Technology, Inc. SD-330AC – All versions prior to the latest patch
Silex Technology, Inc. AMC Manager – All versions prior to the latest patch
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Block Serial COM
Denial of Service
Exploitation of Remote Services
Obtain Capabilities
Gather Victim Network Information: Network Security Appliances
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – System and Application Security
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity
Control ID: Pillar 1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Oil/Energy/Solar/Greentech
Critical exposure through serial-to-IP converters in SCADA systems controlling power generation and distribution infrastructure, enabling potential grid manipulation attacks.
Industrial Automation
Widespread vulnerability in serial device servers translating legacy machinery communications, risking production disruption and data manipulation in manufacturing environments.
Utilities
High-risk exposure via serial-to-Ethernet converters in supervisory control systems, potentially enabling attackers to disrupt service delivery and infrastructure operations.
Health Care / Life Sciences
Serial converter vulnerabilities threaten medical device connectivity and patient monitoring systems, creating potential safety risks and HIPAA compliance violations.
Sources
- Serial-to-IP Devices Hide Thousands of Old & New Bugshttps://www.darkreading.com/ics-ot-security/serial-ip-devices-thousands-of-bugsVerified
- Critical Lantronix Flaws Enable Root-Level Takeover of Industrial Deviceshttps://securityarsenal.com/blog/critical-lantronix-flaws-enable-root-level-takeover-of-industrial-devicesVerified
- SD-330AC and AMC Manager Unauthenticated RCE (CVE-2026-32956)https://www.yazoul.net/advisory/cve/cve-2026-32956-sd-330ac-and-amc-manager-unauthenticated-rceVerified
- CVE-2025-67038: Lantronix EDS5000 RCE Vulnerabilityhttps://www.sentinelone.com/vulnerability-database/cve-2025-67038/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally, escalate privileges, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix Zero Trust CNSF may not prevent the initial exploitation of device vulnerabilities, it could limit the attacker's ability to leverage the compromised device to access other network segments.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could limit the attacker's ability to escalate privileges by enforcing strict access controls and segmenting workloads based on identity and trust levels.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could reduce the attacker's ability to move laterally by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could limit the attacker's ability to establish and maintain command and control channels by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could reduce the attacker's ability to exfiltrate data by enforcing strict egress policies and monitoring outbound traffic.
While Aviatrix Zero Trust CNSF may not prevent the initial compromise, it could limit the attacker's ability to propagate the impact by enforcing strict segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems
- Remote Monitoring
- Data Acquisition
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of operational data and control commands.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict device-to-device communication and limit lateral movement.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation of known vulnerabilities.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual activities.
- • Enforce Egress Security & Policy Enforcement to control outbound traffic and prevent data exfiltration.
- • Regularly update and patch devices to mitigate known vulnerabilities.
