Serial-to-IP Converter Flaws Expose OT and Healthcare Systems to Hacking

Serial-to-IP converters are affected by potentially serious vulnerabilities that can expose operational technology (OT), healthcare, and other types of systems to remote attacks. Serial-to-IP converters, also known as serial device servers, are hardware devices that bridge legacy serial equipment to modern Ethernet/IP networks, allowing old industrial control systems (ICS) and other OT devices to communicate remotely. Researchers at network security and threat detection company Forescout Technologies have analyzed these devices and found numerous vulnerabilities that could be valuable to threat actors.  Serial-to-IP converters are used in sectors such as industrial, telecoms, retail, healthcare, energy and utilities, and transportation. The devices are made by several major companies, including Moxa, Digi, Advantech, Perle, Lantronix, and Silex. Some of these vendors have reported deploying millions of devices, and a Shodan search shows nearly 20,000 internet-exposed systems worldwide.  “Using open-source intelligence (OSINT), attackers can find details about some of these devices, including internal IP addresses, model and vendor names, and photographs from electrical substations, water treatment plants, and other critical infrastructure environments,” Forescout researchers explained.  In addition to internet-exposed devices, attackers could target serial-to-IP converters on local networks, which can be compromised via vulnerabilities or misconfigurations in edge devices such as routers and firewalls. Forescout’s research, which focused on Silex and Lantronix devices, led to the discovery of 20 new vulnerabilities across the two vendors’ products, including weaknesses that can be exploited without authentication.  The vulnerabilities, collectively tracked as BRIDGE:BREAK, can be exploited for OS command injection and remote code execution, firmware tampering, denial-of-service (DoS) attacks, and device takeovers. Some of the flaws can allow attackers to upload arbitrary files, bypass authentication, and obtain information.  Forescout researchers showed the potential impact of these vulnerabilities in real-world environments. They demonstrated how an attacker could exploit the flaws to tamper with data, for instance, manipulating sensor readings in industrial and healthcare environments to conceal dangerous conditions that would normally require human intervention. In another scenario, the researchers described how an extortion group or a state-sponsored threat actor could cause a DoS condition in a healthcare environment by delivering malicious firmware to devices. “Once activated, the weaponized firmware could cause serial-to-IP converters to stop responding on the network. Potential impacts include: analyzers stop reporting results to laboratory information systems, creating processing backlogs; surgical lighting controllers become unresponsive to remote commands; infusion pump calibration and certification workflows are halted; telemetry from environmental sensors is interrupted; Patient monitors lose network connectivity,” the researchers explained. Lantronix and Silex have both been notified and they have released patches. The cybersecurity agency CISA recently published an advisory describing the Lantronix vulnerabilities. Silex has published an advisory on its own website.  It’s important for organizations not to ignore the risks posed by the use of serial-to-IP converters, as these devices have been targeted in the wild. They were targeted by Russian hackers in the 2015 Ukraine energy attack and, more recently, in attacks targeting energy facilities in Poland.   Forescout will publish a report detailing the BRIDGE:BREAK vulnerabilities on Tuesday, April 21.  Related: Lantronix Device Used in Critical Infrastructure Exposes Systems to Remote Hacking Related: 1,000 Instantel Industrial Monitoring Devices Possibly Exposed to Hacking Related: ZionSiphon Malware Targets ICS in Water Facilities WRITTEN BY Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Another DraftKings Hacker Sentenced to Prison Recent Apache ActiveMQ Vulnerability Exploited in the Wild ZionSiphon Malware Targets ICS in Water Facilities OpenAI Widens Access to Cybersecurity Model After Anthropic’s Mythos Reveal Data Breach at Tennessee Hospital Affects 337,000 Microsoft Paid Out $2.3 Million at Zero Day Quest 2026 Hacking Contest Claude Code, Gemini CLI, GitHub Copilot Agents Vulnerable to Prompt Injection via Comments Exploited Vulnerability Exposes Nginx Servers to Hacking Latest News British Scattered Spider Hacker Pleads Guilty in the US Hackers Abuse QEMU for Defense Evasion Bluesky Disrupted by Sophisticated DDoS Attack Senate Extends Surveillance Powers Until April 30 After Chaotic Votes in House Half of the 6 Million Internet-Facing FTP Servers Lack Encryption Next.js Creator Vercel Hacked Hackers Fail to Exploit Flaw in Discontinued TP-Link Routers Tycoon 2FA Loses Phishing Kit Crown Amid Surge in Attacks Trending Webinar: A Step-By-Step Approach To AI Governance April 28, 2026 With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment. Register Virtual Event: Threat Detection And Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Anti-ransomware platform Halcyon has named Kirstjen Nielsen and Chris Inglis as Strategic Advisors. ThreatModeler has appointed Kevin Gallagher as Chief Executive Officer. Thomas Bain has been appointed Chief Marketing Officer at Silent Push. More People On The Move Expert Insights Government Can’t Win The Cyber War Without The Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI Of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules Of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data integrity shouldn’t be seen only through the prism of a technical concern but also as a leadership issue. (Steve Durbin) Why Agentic AI Systems Need Better Governance – Lessons From OpenClaw Agentic AI platforms are shifting from passive recommendation tools to autonomous action-takers with real system access, (Etay Maor) Flipboard Reddit Whatsapp Email