Exploiting Serial-to-Ethernet Converters in Critical Infrastructure

Serial-to-IP converters–also called serial device servers or serial-to-Ethernet adapters–allow traditional serial equipment to communicate over modern IP networks for remote monitoring and management.

Examples of serial equipment include remote terminal units (RTUs) and protective relays in the power grid, programmable logic controllers (PLCs) in industrial processes, barcode scanners and point-of-sale systems in retail, and bedside patient monitors in healthcare. Serial-to-IP converters let organizations onboard these devices into TCP/IP networks without replacing existing equipment.

Threat actors have exploited serial-to-IP converters in attacks targeting critical national infrastructure. In 2015, an attack against Ukraine intentionally corrupted the firmware of several serial-to-IP converters, rendering electrical substations inoperable remotely. In 2025, these devices were again targeted in the Polish power grid.

As attacks against critical infrastructure have become more frequent over the past decade, BRIDGE:BREAK, a new research report from Forescout Research – Vedere Labs revisits the security of serial-to-IP converters.

Below, we summarize the new vulnerabilities, attack scenarios, and recommended mitigations discussed in this research. Full details are available in the technical report.

New Vulnerabilities and Attack Scenarios

We automatically analyzed firmware from five major vendors of serial-to-IP converters and found that, on average, each firmware image contained:

• 80 identified open-source software components
• 2,255 known vulnerabilities affecting the Linux kernel and 212 known vulnerabilities affecting other open-source components
• 89 publicly available exploits

We then manually analyzed three devices to identify new vulnerabilities:

• Lantronix EDS3000PS Series: Compact, office-grade multi-serial-port serial device server (8–16 ports)
• Lantronix EDS5000 Series: Rack-mountable serial device server supporting 8, 16, or 32 serial ports
• Silex SD330-AC: Small serial device server designed to connect RS-232C serial devices over a wireless network or an Ethernet port

We found 8 new vulnerabilities in Lantronix products and 14 in Silex products. All vulnerabilities are detailed in the technical report. At a high level, they fall into the following impact categories:

• Remote code execution (RCE) via OS command injection or buffer overflow conditions
• Device takeover via authentication weaknesses
• Firmware tampering enabled by a hardcoded signing key
• Denial of service (DoS)
• Other impacts, including arbitrary file upload, authentication bypass, and information disclosure (including passwords and keys) due to weak encryption

Using these vulnerabilities, attackers could achieve at least three kinds of impact:

• Denial of Service: Attackers could disrupt serial communications with field assets, similar to the operational effect reported in the 2015 and 2025 attacks against the Ukrainian and Polish energy grids. In the technical report, we also discuss how firmware vulnerabilities can enable time-triggered DoS conditions, which attackers could coordinate with other actions.
• Lateral movement: In our previous research on deep lateral movement, we demonstrated that attackers could cross boundaries of non-routable OT networks by exploiting controller-level devices. In this report, we focus on exploiting serial-to-IP converters to pursue similar outcomes, but via different–and in some cases–simpler exploit paths.
• Sensor and actuator data tampering: An attacker who can execute code on a compromised converter can alter data as it moves between the serial side and the IP network. For example, an attacker could change sensor values (temperature, pressure, humidity, flow, or patient heart rate) to arbitrary values. Conversely, an attacker could modify commands coming from the IP network to the serial side, potentially changing actuator behavior (for example, the speed or direction of a servo motor).

The figure below illustrates a simplified data-tampering scenario (detailed in the technical report).

The scenario reflects a common architecture in power and water utilities and manufacturing, where serial equipment is integrated into IP networks for remote monitoring and management. In electrical substations, intelligent electronic devices (IEDs), such as protection relays, monitor variables including voltage, current, and frequency, and can trip circuit breakers when they detect dangerous conditions. These IEDs can be connected to IP networks for centralized monitoring and control via supervisory control and data acquisition (SCADA) systems, using serial-to-IP converters. In manufacturing, serial computer numerical control (CNC) machines may be connected to IP networks for centralized data collection and operations monitoring.

The simplified attack flow is:

1. Initial access: The attacker gains access to a remote facility through an internet-exposed edge device, such as an industrial router, firewall, or VPN concentrator. Similar to the initial access vector for the Grid Connection Points (GCPs) on the Poland attacks in 2025 or the initial access vector for substations in the Denmark attacks in 2022.
2. Converter compromise: The attacker compromises the serial-to-IP converter via vulnerable remote management protocols, authentication flaws or RCE vulnerabilities disclosed in this research.
3. Data manipulation: After achieving code execution on the converter, the attacker tampers with serial data traveling to or from the IP network. In our lab, we connected a serial thermometer to a simple SCADA application that displayed the lab’s ambient temperature. Before the attack, the application showed a stable temperature of roughly 24 °C. After the attack, the graph oscillated between -40 °C and +40 °C. Conversely, an attacker could also make an oscillating signal appear stable.
   

The feasibility and downstream impact of this final step depends on the targeted sector and the specific sensors and actuators in use.  Examples include:

• Field signaling controllers used in railway signaling for remote operation
• Fire alarm systems in building management networks
• Gas pumps and automatic tank gauges (ATGs) in gas stations

Conclusion and Mitigation Recommendations

This research highlights weaknesses in serial-to-IP converters and the risks they can introduce in critical environments. As these devices are increasingly deployed to connect legacy serial equipment to IP networks, vendors and end-users should treat their security implications as a core operational requirement.

Based on the new vulnerabilities and attack scenarios we demonstrated – and supported by evidence of prior attacks and the availability of detailed deployment information through OSINT – we recommend that organizations patch vulnerable serial-to-IP converter devices as soon as possible:

• Lantronix has released two firmware updates that address the issues: 2.0.0R1 for EDS5000 series and 3.2.0.0R2 for EDS3000 series
• Silex has also released updates to address the issues

In addition to patching, we recommend:

• Replace default credentials, and prohibit weak passwords, to reduce the risk of exploiting authenticated vulnerabilities
• Segment networks to prevent threat actors from reaching vulnerable serial-to-IP converters, or using them to compromise other critical assets
  • First, ensure these devices are not exposed to the internet
  • Then, implement strict access controls for management interfaces (such as the Web UI) so only pre-approved management workstations can access them
  • Finally, consider dedicated subnetworks or VLANs where converter devices are only allowed to communicate with the serial equipment they manage and the IP-side devices that require access to that data
• Monitor for exploitation attempts targeting serial-to-IP converters, and for anomalous communications to or from these devices
  • It is especially important to detect unusual communication patterns that suggest an attacker is targeting data read from or sent to the serial link

Recommendations to vendors:

• Follow secure-by-design principles that treat security as a business requirement
• Implement a secure development lifecycle (SDLC) that embeds security into each phase of software development
• Use Linux kernel versions that are as recent as practical, and supported over a long lifecycle
• Maintain an inventory of software components shipped in firmware, and update those with known vulnerabilities
• Implement binary hardening to make exploitation more difficult
• Perform regular security testing of implemented protocols, software, devices, and platforms to identify issues before release, with particular focus on commonly targeted interfaces such as web management UIs
• Adopt well-vetted protocols, and signing and encryption algorithms
• Use asymmetric cryptography for firmware signing and signature verification
• Consider identifying devices exposed online and notifying customers about this misconfiguration