A Root Flaw in Lantronix Serial-to-IP Converters Is Under Attack, and OT Networks Are the Real Target
Cybersecurity

A Root Flaw in Lantronix Serial-to-IP Converters Is Under Attack, and OT Networks Are the Real Target

CVE-2025-67038 lets attackers run root commands on Lantronix EDS5000 converters through the login form. CISA put it on the KEV list, and Forescout says a threat actor called Chaya_006 was probing it months before the catalog caught up.

PublishedJuly 2, 2026
Read time5 min read
Share

The Login Form Is the Attack Surface

Some vulnerabilities are elaborate. This one is not, and that is what makes it dangerous. CVE-2025-67038, a command injection flaw rated CVSS 9.8 in Lantronix EDS5000 serial-to-IP converters, lets an attacker execute arbitrary operating system commands with root privileges. The mechanism is almost quaint in its simplicity: the device's HTTP RPC module logs failed authentication attempts, and to do so it takes the submitted username and concatenates it directly into a shell command without any sanitization. Feed it a username that is actually a command, and the device runs it as root while dutifully recording your failed login.

As Forescout's researchers described it, the username is directly concatenated with the command without any sanitization, which is the kind of mistake secure-coding guidance has warned against for decades. The practical consequence is that the login screen, the one part of the device an unauthenticated attacker can always reach, is the exploit surface. There is no need to guess credentials or bypass a session check. The act of failing to log in is itself the delivery vehicle for the payload, which makes exploitation both trivial and reliable against any exposed unit.

CISA Confirms It Is Being Used

On June 23, 2026, CISA added CVE-2025-67038 to its Known Exploited Vulnerabilities catalog and set a remediation deadline of June 26 for federal agencies, a three-day turnaround that signals real urgency. The KEV listing is confirmation that this is not a hypothetical risk sitting in a database, but a flaw being actively used against real targets. For federal operators the deadline is binding, and for everyone else it is the clearest possible advisory that patching this device cannot wait for the next scheduled maintenance window.

What complicates the picture is that Lantronix released a patch for this flaw back on February 20, 2025, more than a year before the KEV listing. The vulnerability itself became public in April 2026 as part of a disclosed vulnerability set. The long gap between the fix and the catalog entry is a familiar problem with embedded and operational-technology gear: patches exist, but the devices are rarely inventoried, rarely monitored, and rarely updated, so a fix being available is not the same as a fix being applied. The exploitation is happening in that gap.

Chaya_006 Was There Early

Forescout's Vedere Labs, which tracks operational-technology threats, attributed the probing to an actor it tracks as Chaya_006, observed targeting its honeypots from IP addresses tied to the campaign and sending command-injection attempts against the device's authentication RPC endpoint. Crucially, Vedere Labs saw this activity as early as April 5, 2026, and running through early June, meaning attackers were already exercising the flaw well before it landed on CISA's radar. The exploitation predates the public alarm, which is often how these embedded-device campaigns unfold.

One detail from the research is worth dwelling on. Forescout concluded that the attackers did not use information from its own report, but may have reverse-engineered the patch to build an exploit. That is a reminder that shipping a fix is not a purely defensive act. A patch is also a map, and for internet-facing devices with a large exposed population, sophisticated actors will diff the update to locate the flaw and weaponize it against everyone who has not yet applied it. The February 2025 patch, in other words, may have been the very thing that told Chaya_006 where to look.

Why Serial-to-IP Converters Matter

A serial-to-IP converter is easy to dismiss as trivial hardware, but its job is exactly what makes it strategically valuable to an attacker. These devices bridge legacy serial equipment, the industrial controllers, sensors, and machinery that still speak decades-old protocols, onto modern IP networks. They are the seam between operational technology and information technology, and that seam is precisely where an intruder wants to sit. Root on the converter means a position that can see and potentially manipulate traffic flowing between the corporate network and the physical process on the other side.

Forescout's scanning found roughly 31,850 internet-exposed devices in the broader population it studied, a meaningful attack surface for a class of hardware that most security teams have never enumerated. Operational-technology environments have historically leaned on isolation and obscurity for protection, but converters like the EDS5000 exist specifically to end that isolation by connecting old equipment to the network. When one of them carries an unauthenticated root flaw, the assumptions that OT is air-gapped or too specialized to target collapse, and the consequences reach into physical systems that IT-centric incident response is not built to handle.

Closing the OT Blind Spot

The immediate action is to identify every Lantronix EDS5000 device in the estate and apply the available firmware fix, then get these units off the public internet, because an exposed serial-to-IP converter with this flaw is among the easiest targets an attacker can find. Beyond patching, the standard OT hygiene applies with new urgency: replace default credentials, enforce strong passwords, and put strict network segmentation between these bridging devices and both the corporate network and the operational systems they serve. Segmentation is what limits the blast radius when, not if, one of these devices is compromised.

The deeper problem this incident exposes is visibility. A patch that shipped in February 2025 was still being exploited in mid-2026 because organizations did not know they had the devices, let alone that they were vulnerable. Closing that blind spot means treating OT and embedded hardware as first-class assets in inventory and vulnerability management, not as someone else's problem living in a plant somewhere. Chaya_006 found these converters by reverse-engineering a patch. The defenders who avoid becoming victims are the ones who found the same devices first, on their own asset list.

Tagged#news#security#cybersecurity#vulnerability#cisa#rce