Bridge:Break: Vulnerabilities Thrive in Serial-to-Ethernet Converters
We discovered 22 new vulnerabilities in hardware from device makers: Lantronix and Silex. Also known as ‘serial-to-IP’ and ‘serial device servers’, these innocuous ‘bridge’ devices are exploitable across critical infrastructure industries, including utilities, healthcare, manufacturing, retail, financial services, transportation, and more.
See the data and attack scenarios: denial of service, sensor and actuator data tampering, and lateral movement across the network.
22
New vulnerabilities
675
Avg. firmware w/ high severity
63
Avg. firmware w/ critical severity
10M
Global converters estimated
Bridge Devices Are Widely Used and Linked to Attacks
These converters are necessary and widely deployed. They enable connectivity for medical devices in hospitals, programmable logic controllers (PLCs), sensors, and actuators in factories, remote terminal units (RTUs), intelligent electronic devices (IEDs), and relays in electrical substations. In 2015, an attack against Ukraine intentionally corrupted the firmware of several serial-to-Ethernet converters, rendering electrical substations inoperable remotely. In 2025, these devices were again attacked in the Polish power grid.
Serial to Ethernet Converters in Utilities: Electrical Substations
Here is a simplified view of serial-to-IP converters in this architecture. While the figure shows a converter only on the substation side – with the control center SCADA operating over TCP/IP – some environments also use serial-to-IP converters in the control center to convert IP data back to serial for legacy applications.
Software Composition and Historical Vulnerabilities
We used the open-source EMBA tool to identify open-source software components in each firmware image to match identified versions to potential vulnerabilities and evaluate binary hardening. We report component versions, the number of vulnerabilities, publicly available exploits, and binary hardening indicators as generated by EMBA. To keep the focus on cross-vendor security patterns (rather than specific vendors) we do not name the specific vendors. We identify vendors and models only where we discovered new vulnerabilities and coordinated disclosure.
Severity of Vulnerabilities and Exploit Availability
Not every vulnerability is equally severe, so we also examined severity and exploit availability. We break down historical vulnerabilities by CVSSv3 score and the number of publicly available exploits.
- On average, firmware images had 1,566 vulnerabilities with low or medium severity (68%), 675 with high severity (29%), and 63 with critical severity (3%).
- On average, firmware images had 89 publicly available exploits.
Serial to Ethernet Attack Scenario 1: Data Tampering in OT
The attacker gains access to a remote facility through an Internet-exposed edge device (router, firewall, or VPN concentrator) as it did in the Poland GCP incidents in 2025. The attacker compromises the serial-to-Ethernet converter through vulnerable remote management protocols, authentication weaknesses, or RCE vulnerabilities. After code execution, the attacker tampers with serial data traveling to or from the IP network.
Serial to Ethernet Attack Scenario 2:
Denial of Service in Healthcare
Attacks could become part of a ransomware campaign or state-sponsored operation that extends beyond data disruption to affect medical devices. Targeting serial-to-IP converters, can interrupt communications for multiple connected devices at once, disrupting diagnostic workflows and care delivery. In this scenario, the threat actor would need to:
- Weaponize firmware to trigger its effects immediately after installation or embed time-triggered logic.
- Deliver the firmware: Push the weaponized firmware to target devices. This could occur after compromising the IT network and exploiting a vulnerability to upload firmware remotely or through a targeted phishing campaign that persuades biomedical engineers to install a malicious ‘security firmware update’.
Once activated, the weaponized firmware could cause converters to stop responding on the network causing:
- Analyzers to stop reporting results to laboratory information systems, creating processing backlogs.
- Surgical lighting controllers to become unresponsive to remote commands.
- Infusion pump calibration and certification workflows to be halted.
- Telemetry from environmental sensors to be interrupted.
- Patient monitors lose network connectivity.
How Forescout Helps
Discover. Assess. Control. Govern.
Your journey to Universal Zero Trust Network Access starts with the Forescout 4D platform™: the only platform for UZTNA powered by agentic AI. Continuously identify, protect, and ensure the compliance of all assets – IT, IoT, IoMT and OT – regardless of location, automatically. Deliver cloud-native network security intelligence boosted by agentic workflows from the pioneer of traditional NAC.
Shift from reactive firefighting to proactive risk management. Get continuous visibility into what’s actually exposed across every connected asset — managed or not, physical or virtual. The result? Priorities managed. Peace of mind.