CISA added CVE-2025-67038, a critical Lantronix EDS5000 flaw, to its Known Exploited Vulnerabilities catalog on June 23, 2026, giving federal civilian agencies until June 26, 2026, to remediate a vulnerability marked as actively exploited.

Lantronix is a Nasdaq-listed provider of edge AI and industrial IoT hardware, software and services. Its EDS5000 systems connect serial devices to Ethernet for remote access and management, placing the affected appliances in environments where older operational equipment may be reachable through modern networks.

The flaw, tracked as CVE-2025-67038, affects Lantronix EDS5000 firmware 2.1.0.0R3. NVD’s description says the device’s HTTP RPC module writes logs after failed authentication, concatenates the supplied username into a command without sanitization and lets attackers inject operating system commands that run with root privileges. The CISA-ADP assessment gives the vulnerability a CVSS 3.1 score of 9.8.

Timeline and mitigation guidance

CISA’s March 11 industrial-control advisory listed critical manufacturing, communications and information technology among the affected sectors, with deployments worldwide. At the time, the advisory said:  “No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.”

NVD’s CVE record shows CISA’s exploitation status for the flaw as “active,” while the KEV entry requires mitigation in line with vendor instructions, BOD 26-04 and CISA’s forensic triage requirements.

Lantronix disclosed on June 29 that “a firmware update addressing these vulnerabilities has been available since February 20, 2026” and told customers to upgrade to firmware version 2.2.0.0R1 or later.

Lantronix’s advisory also recommends replacing default credentials, prohibiting weak passwords, restricting network access, placing affected devices behind a firewall and limiting management interfaces to trusted networks only.

Those interim steps mirror CISA’s industrial-control guidance, which recommends keeping control-system devices away from direct internet exposure and isolating them from business networks where possible.

Honeypot catches early exploitation

Forescout Research’s Vedere Labs later reported exploitation that predated the June KEV update. The firm said it saw CVE-2025-67038 exploited on a Lantronix honeypot on April 5, after Lantronix had patched the issue but before Forescout published its BRIDGE:BREAK report.

Forescout wrote that attackers “may have reverse-engineered the patch to build an exploit,” and identified the activity cluster as Chaya_006.

Operational risks of serial-to-IP converters

The device class makes the patching question operational as well as technical. Forescout defines serial-to-IP converters as devices that let traditional serial equipment communicate over IP networks for remote monitoring and management, including PLCs in industrial processes, RTUs and protective relays in the power grid, barcode scanners in retail and bedside patient monitors in healthcare.

Daniel dos Santos, vice president of research at Forescout, described the operational risk this way: “Serial-to-IP converters sit directly in the path between operators and physical processes, yet they often fall outside traditional security monitoring.”

NIST guidance on OT patch management

NIST’s OT security guidance gives the patching problem its governance shape. SP 800-82 Rev. 3 says OT systems have unique performance, reliability and safety requirements, and its patch-management section says organizations should implement a “systematic, accountable, and documented OT patch management process” for managing exposure to vulnerabilities.

The same NIST section says the process should cover how organizations monitor for patches, when they apply them, how they test them and how they choose compensating controls when patching is delayed.

NIST also warns patches can affect production or safety functions, recommends testing on offline systems where possible and says patch timing should be determined by knowledgeable OT personnel during planned outages.

Execution challenges for smaller manufacturers

For smaller manufacturers, that turns active exploitation into an execution question: who can verify exposure, approve downtime, test the update and preserve evidence if compromise is suspected?

NIST’s small-manufacturing segmentation paper identifies security segmentation as a cost-effective way to mitigate cyber vulnerabilities in small manufacturing environments by grouping assets into zones according to the protection they need.

For exposed serial-to-Ethernet devices, the segmentation point connects NIST’s small-manufacturing guidance with Forescout’s recommendation to prevent attackers from reaching vulnerable converters directly or using them to compromise other critical assets.

Personalized Feed
Personalized Feed