Key Takeaways
- Forescout Research Vedere Labs discovered 22 new vulnerabilities in Lantronix and Silex serial‑to‑IP converters, collectively named BRIDGE:BREAK.
- Nearly 20,000 of these devices are exposed online worldwide, posing a risk to mission‑critical industrial and legacy systems.
- Flaws span remote code execution, denial‑of‑service, authentication bypass, device takeover, firmware/configuration tampering, information disclosure, and arbitrary file upload.
- Successful exploitation could let attackers hijack serial communications, alter sensor/actuator data, and move laterally within critical networks.
- Vendors have issued security patches; administrators should apply updates, change default credentials, segment networks, and keep devices off the public internet.
- The findings underscore the need to treat serial‑to‑IP converter security as a core operational requirement in industrial control environments.
Overview of the Discovery
Cybersecurity researchers from Forescout’s Vedere Labs identified 22 previously unknown vulnerabilities affecting popular serial‑to‑IP converters made by Lantronix and Silex. The flaws were grouped under the codename BRIDGE:BREAK and were disclosed in a report shared with The Hacker News on April 21, 2026. According to the researchers, some of these weaknesses enable attackers to gain full control of devices connected via serial links, jeopardizing the integrity of industrial control systems (ICS) and other critical infrastructure that rely on legacy serial equipment.
What Serial‑to‑IP Converters Do
Serial‑to‑IP converters are hardware appliances that “bridge” legacy serial devices—such as PLCs, RTUs, and field sensors—to modern IP networks or the internet. By encapsulating serial traffic within TCP/IP packets, they allow remote access, configuration, and management of equipment that would otherwise be isolated. Because they sit at the intersection of old and new technologies, they are frequently deployed in manufacturing, energy, transportation, and utility sectors, making their security paramount for operational continuity.
Vulnerability Distribution and Categories
The 22 shortcomings are split between the two vendors: eight affect Lantronix products (EDS3000PS Series and EDS5000 Series) while fourteen impact the Silex SD330‑AC model. The flaws fall into several broad classes: remote code execution, client‑side code execution, denial‑of‑service (DoS), authentication bypass, device takeover, firmware tampering, configuration tampering, information disclosure, and arbitrary file upload. Each category represents a distinct pathway an adversary could exploit to compromise the converter or the serial assets it mediates.
Remote Code Execution Flaws
Nine vulnerabilities enable remote code execution (RCE) on the affected devices. For Lantronix, these are CVE‑2026‑32955, CVE‑2026‑32956, CVE‑2026‑32961, CVE‑2025‑67041, CVE‑2025‑67034, CVE‑2025‑67035, CVE‑2025‑67036, CVE‑2025‑67037, and CVE‑2025‑67038. Successful exploitation of any of these would allow an attacker to run arbitrary code with the privileges of the converter’s firmware, potentially granting full control over the device and the serial traffic it forwards.
Client‑Side Code Execution and Denial‑of‑Service
A single client‑side code execution vulnerability, CVE‑2026‑32963, could be triggered when a user interacts with a malicious web interface or crafted packet, leading to code execution on the administrator’s workstation. In addition, three DoS‑type flaws—CVE‑2026‑32961 (also listed under RCE), the older CVE‑2015‑5621, and CVE‑2024‑24487—can be used to crash or hang the converter, disrupting serial communications and causing downtime for connected field assets.
Authentication Bypass and Device Takeover
Two authentication bypass issues—CVE‑2026‑32960 and CVE‑2025‑67039—allow an attacker to gain administrative access without valid credentials. Furthermore, the researchers identified a device takeover vector tracked as FSCT‑2025‑0021 (no CVE assigned), along with CVE‑2026‑32965 and CVE‑2025‑70082, which together enable complete control of the converter, effectively turning it into a foothold for deeper network intrusion.
Firmware, Configuration, Information Disclosure, and File Upload Weaknesses
Firmware tampering is possible via CVE‑2026‑32958, permitting malicious firmware to be flashed onto the device. Configuration tampering is addressed by CVE‑2026‑32962 and CVE‑2026‑32964, which let an attacker alter settings such as network parameters or serial port behavior. Information disclosure is facilitated by CVE‑2026‑32959, potentially exposing sensitive logs, credentials, or internal state. Finally, CVE‑2026‑32957 describes an arbitrary file upload flaw that could be used to place malicious scripts or binaries on the converter’s filesystem.
Potential Impact and Attack Scenario
If chained together, these vulnerabilities could enable an adversary to disrupt serial communications with field assets, manipulate sensor readings, or alter actuator commands—actions that could lead to production defects, safety hazards, or service outages. A plausible attack path begins with compromise of an internet‑exposed edge device (e.g., a router or firewall) at a remote facility. The attacker then uses the BRIDGE:BREAK flaws to seize control of the serial‑to‑IP converter, inject malicious serial data, and pivot to other critical systems such as SCADA servers or historian databases, all while remaining stealthy due to the legacy nature of the serial link.
Vendor Mitigations and Best‑Practice Recommendations
Both Lantronix and Silex have released firmware updates that patch the identified CVEs. Administrators are urged to apply these patches promptly. In addition to patching, security hygiene measures include replacing default usernames and passwords, enforcing strong credential policies, segmenting the network so that converters are isolated from untrusted zones, and ensuring the devices are not directly reachable from the public internet. Deploying intrusion detection/prevention systems (IDS/IPS) to monitor anomalous serial‑to‑IP traffic can also provide an extra layer of defense.
Broader Implications for Industrial Security
The BRIDGE:BREAK research highlights a growing attack surface as organizations increasingly connect legacy serial equipment to IP‑based networks for remote monitoring and management. Serial‑to‑IP converters, often overlooked in traditional vulnerability management programs, can become critical choke points if not secured. The findings reinforce the view that securing these bridging devices must be treated as a core operational requirement, on par with patching mainstream IT assets. By integrating converter security into broader risk assessments, conducting regular penetration tests, and maintaining up‑to‑date inventories of all hardware—including seemingly mundane serial interfaces—organizations can better protect their industrial control environments against sophisticated, multi‑stage threats.