Key Takeaways
- Active Exploitation Confirmed: CISA added CVE-2025-67038, an arbitrary command execution vulnerability in the Lantronix EDS5000 serial-to-ethernet converter, to its KEV catalog on June 23, 2026.
- Critical Cyber-Physical Risk: Serial-to-ethernet converters are communication choke points for industrial and OT environments — exploitation can result in loss of control over downstream automation assets with physical consequences.
- State Actor Precedent: Russian state-linked actors (Sandworm, Berserk Bear) have previously weaponized this device class in disruptive attacks against Ukrainian power infrastructure and Polish industrial entities.
- Patching May Not Be Immediately Feasible: High-availability industrial environments typically cannot patch out-of-band — compensating controls and contingency planning are essential in the near term.
Vulnerability Added to KEV
On 23 June 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its list of known exploited vulnerabilities (KEV): three for the consumer and small business networking platform Ubiquiti, and one for a code injection vulnerability (CVE-2025-67038) in the Lantronix EDS5000 platform. The Ubiquiti vulnerabilities on their own are concerning given historical state-sponsored threat interest in exploiting the platform to create proxy networks, but the Lantronix vulnerability represents something else entirely.
The Lantronix EDS5000 platform is a serial-to-ethernet converter used for industrial automation and related applications. The device allows for communication with and management of serial connection devices, such as internet of things (IoT) or operational technology (OT) systems via ethernet. As such, these devices are critical choke points for various cyber-physical operation scenarios. The addition to CISA’s KEV indicates that there is known, documented exploitation of a vulnerability in this platform allowing for arbitrary command execution.
Background
While a seemingly niche technology, serial-to-ethernet converters have had an outsized role in cyber-physical attack scenarios over the past ten years. In 2015, the Sandworm entity, associated with Russia’s military intelligence agency, attacked several distribution substations in Ukraine. In addition to manipulating equipment to cause an electric system outage and wiping Windows-based systems with malware to impede recovery, the adversary also developed a malicious firmware payload to “update” and ultimately “brick” serial-to-ethernet converters at the victim sites. The result of this action was to induce a loss of control condition for the affected sites, making system recovery significantly more difficult and dependent on manual operations.
Almost exactly 10 years later, a different Russian threat actor, publicly tracked as Berserk Bear but linked to the Russian FSB, attempted a disruptive attack against multiple industrial entities in Poland. Similar to the 2015 Ukraine event, the adversary leveraged default credentials to access serial-to-ethernet controllers in the victim environment to reset them to factory settings, change credentials, and change device IP addresses to make them unreachable. The result, while not as complex as the malicious firmware update, was effectively the same in impairing control over assets on the other side of the converters.
Implications
Identification of active exploitation of an arbitrary command execution vulnerability in Lantronix EDS5000 devices is deeply concerning given the nature and significance of such devices for industrial and automation control. While no specific events are known at this time, the possibility exists for loss or denial of control over industrial or automation assets through manipulation of vulnerable devices.
Furthermore, given the nature of most industrial environments combined with the high-availability nature of the devices in question, “just patch” becomes inactionable advice outside of set facility maintenance windows. As a result, organizations running this equipment will likely need to adopt compensating controls for the near future prior to reaching a patching window.
Given the potential of such vulnerabilities for cyber-physical impacts and known, documented abuse of such devices by state-directed threat actors, addition to the CISA KEV is a clear warning that potentially concerning activity has taken place in these environments. Industrial and automation organizations must therefore respond accordingly through appropriate defensive countermeasures.
Recommendations & Defense
- Limit connectivity and accessibility. While difficult since serial-to-ethernet converters are, by design, communication devices, limiting access to administrative and authentication portals for such devices to a small subset of overall environments can drastically reduce attack surface and minimize adversary ability to leverage vulnerabilities such as CVE-2025-67038.
- Patch when possible. Although immediate, out-of-band patching may not be applicable for all organizations, identifying suitable windows to apply patches to eliminate the vulnerability must take place as soon as practical to reduce exposure for critical devices.
- Monitor for activity. Where the above items are either not possible or immediately actionable, organizations must maintain vigilance over communication to such devices representing potential administrative logons or other actions that could represent potential attempts at exploitation or subversion of such devices.
- Develop contingency plans. A key factor in the 2015 Ukraine power incident was the ability of the victim entities to rapidly switch to manual operations for the impacted sites, allowing for restoration of services. While not ideal, organizations should identify mechanisms to allow for minimally acceptable operations if loss of control or similar should take place to ensure continued availability of services in an attack scenario.
Read the 2026 Cyber Threat Landscape Report
In a time of increasing cyber threats and AI-driven attacks, security teams need actionable insights to drive a preemptive cyberdefense strategy. This report analyzes global risks and offers the intelligence needed for a proactive cybersecurity strategy.
Download Report
