Mistype the password and this Lantronix box runs attacker commands as root. CISA says it is happening now.

The attack on the Lantronix EDS5000 turns a defender's instinct against them: you do not need a valid password to take it over. You need a failed one. When a login fails, the box writes a log line by passing whatever you typed as the username straight into a shell command, with nothing in between to clean it. Put an operating-system command where the username belongs, fail the login on purpose, and the device runs that command as root. The authentication step is not the wall. It is the trigger.

On June 23, 2026, CISA added this flaw, CVE-2025-67038, to its Known Exploited Vulnerabilities catalog and gave federal agencies until June 26 to patch or disconnect. That listing is the news, not the bug itself. CISA only promotes a vulnerability to that catalog once it has evidence of real-world attacks, so the right assumption is that any EDS5000 you can reach from an untrusted network, someone else can reach too, and is already probing.

What a Lantronix EDS5000 actually is, and why it is in your blind spot

An EDS5000 is a serial device server, a small box whose whole job is to put old serial equipment onto an IP network. Industrial sensors, building controllers, medical instruments, point-of-sale hardware, lab gear, and out-of-band console ports on routers and switches all still speak RS-232 and RS-485. The device server is the adapter that lets you reach them over the network instead of with a cable and a laptop in a closet.

That role is exactly why these boxes are dangerous when they break. They run a small embedded Linux as root, they sit at the seam between your IT network and the operational gear behind them, and almost nobody patches them, because almost nobody has them in an asset inventory. A vulnerability scanner that fingerprints servers, laptops, and the occasional firewall will walk right past a device server answering on port 80. It is not an endpoint and it is not a server, so it falls into the category most programs never built a process for: infrastructure that someone installed once and never thought about again.

The scale is not small. When Forescout's research team disclosed the underlying flaws, it found roughly 20,000 of these serial-to-network converters reachable from the public internet. A device server should never be one of those 20,000. Its entire purpose is internal reach to legacy gear, and there is no good reason for it to answer a stranger on the open internet. Yet there they are, each one a root shell waiting for a malformed login.

The patch was available. The exploitation came anyway.

CVE-2025-67038 is not a fresh discovery. It is part of a set of 22 vulnerabilities that Forescout named BRIDGE:BREAK and disclosed on April 21, 2026, covering Lantronix EDS3000PS and EDS5000 units alongside Silex serial converters. Lantronix shipped fixed firmware at disclosure. So the timeline that matters for planning is this: public disclosure and a patch in April, confirmed active exploitation in late June. Roughly two months from "you should patch this" to "attackers are patching it for you, badly."

That window is the lesson, and it keeps getting shorter for edge hardware. The two months were not a grace period. They were the runway attackers used to reverse the fix, write reliable tooling, and find the unpatched population. A program that schedules embedded-device firmware on a quarterly cadence loses that race every time. For anything on CISA's exploited list, the only safe cadence is days.

There is a second tell buried in the BRIDGE:BREAK set that is worth saying out loud: it included CVE-2015-5621, an SNMP flaw from 2015 still present in current firmware. An eleven-year-old known bug shipping in a 2026 build is not an accident. It is a signal that the firmware supply chain for this class of device does not carry security fixes forward the way mainstream operating systems do. When you buy a serial converter, you are not buying something that gets quietly hardened over its life. You are buying the security posture of its release year, frozen.

This is the same story as last week, on different hardware

The EDS5000 did not get added to the exploited list alone. CISA listed it on the same day as three flaws in self-hosted UniFi network controllers, also unauthenticated, also leading to root. A week earlier it was a Splunk database sidecar. Before that, forgotten home and small-office routers were being herded into a scanning botnet. The common thread is not a vendor or a product line. It is an internet-reachable management interface on an embedded device that someone forgot was reachable.

Attackers worked this out before most defenders did. The well-patched, well-monitored part of the estate, the laptops and cloud workloads, is genuinely harder than it was five years ago. The device server, the converter, the appliance management port: those are soft, they run as root, and they almost never appear in a detection feed. As one ransomware crew showed, you do not need a zero-day when the patch backlog on edge devices is doing the work for you.

What to do right now

• Patch the EDS5000 to firmware 2.2.0.0R1. The affected build is 2.1.0.0R3, and the same fix covers the EDS5008 and EDS5016 variants. If you cannot patch within days, disconnect the device from any untrusted network until you can.

• Find the ones you forgot. Search your network for Lantronix and Silex serial servers, terminal servers, and console servers. They commonly answer on HTTP, Telnet, and SSH, and Lantronix units respond to a discovery probe on UDP port 30718. An external scan of your own ranges will tell you fast whether any are facing the internet.

• Get them off the public internet. A serial device server belongs on an internal management network reachable through a VPN, never on a public address. This single change removes the precondition the attack needs, which is the ability to send the box a login at all.

• Watch the auth-failure path, because it is the exploit path. A burst of failed logins to one of these devices is not a brute-force attempt to ignore. On a vulnerable EDS5000 it is the attack itself. Forward the device logs to your monitoring, alert on failed-login spikes, and treat any unexpected outbound connection from a serial converter as a compromise until proven otherwise.

• Segment so a converter cannot become a pivot. These boxes bridge IT and operational gear by design. Put firewall rules between the converter's network and everything else so that owning the bridge does not hand an attacker the equipment on the other side of it.

The uncomfortable part of this story is not the bug. Command injection through an unsanitized log field is an old mistake. The uncomfortable part is that the device most likely to carry it is the one you are least likely to know you own. Before you close this tab, the honest question is not whether you have patched your EDS5000. It is whether you can say, in the next ten minutes, how many serial device servers are on your network and which ones answer the internet.