Serial-to-IP Devices Hide Thousands of Old and New Bugs

ICS/OT SECURITY VULNERABILITIES & THREATS CYBERSECURITY OPERATIONS PHYSICAL SECURITY NEWS Serial-to-IP Devices Hide Thousands of Old and New Bugs The OT devices that translate machine talk into Internet-speak are riddled with vulnerabilities and more frequently targeted for attacks, researchers say. Nate Nelson,Contributing Writer April 20, 2026 5 Min Read SOURCE: TONY WATSON VIA ALAMY STOCK PHOTO Researchers have identified 20 new vulnerabilities in popular models of serial-to-IP converters — devices that sit at the heart of modern industrial networks. Even more worryingly, the same researchers counted thousands of known vulnerabilities in these very same devices' software stacks. Complex on the inside, serial-to-IP converters — also known as serial device servers, or serial-to-Ethernet converters — do a relatively straightforward job: they translate the language of old industrial machinery into Internet-speak, and vice versa. It goes without saying just how significant this job is: without it, plant operators wouldn't be able to monitor older machinery from the comfort of their newfangled computers. It may not come as a surprise, then, that serial-to-IP converters are often a target in major operational technology (OT) cyberattacks. In some of the most significant incidents in history — from the 2015 Ukrainian power grid attack to last year's attack against Poland — serial converters were manipulated in order to cut the line between plant operators and their machines, and delay recovery. Related:Empty Attestations: OT Lacks the Tools for Cryptographic Readiness One might imagine that these devices will become less important over time, as industries gradually adopt Internet-age industrial machines and phase out older behemoths. In fact, the opposite is true: industry analysts expect the market to rise continuously, if not double over the coming decade, as the behemoths stay in place, and the need for supervisory control and data acquisition (SCADA) grows in manufacturing, healthcare, and other major sectors. It could be a problem, then, that serial-to-IP devices are universally built upon outdated libraries and old or even end-of-life operating systems (OS), and that they're buggy to the high heavens. At Black Hat Asia (BHA) 2026, researchers from Forescout will reveal the results of a study of these devices, in which they found nearly two dozen new vulnerabilities in a couple of popular models, and potentially thousands of old vulnerabilities across all major alternatives. Critical Vulnerabilities in Serial Converters Loading... With a few assumptions along the way, Forescout estimated that there might be more than 10 million serial device servers in the world today. A couple tens of thousands of them are inadvisably discoverable on the open Web. Forescout's study focused on three popular models of converter from two of the larger vendors in the space: Lantronix's EDS3000PS and EDS5000PS, and Silex's SD330-AC. They found eight previously undisclosed bugs in the Lantronix models, and 12 affecting Silex. Related:Industrial Controllers Still Vulnerable As Conflicts Move to Cyber Some of those bugs were quite severe. The EDS5000PS contained five separate remote code execution (RCE) vulnerabilities, two earning "critical" Common Vulnerability Scoring System (CVSS) ratings of 9.8 out of 10, and three more of high severity, limited only by an authentication requirement to exploit. Another 9.8 out of 10 issue in the EDS3000PS, CVE-2025-70082, was even worse: it derived from the simple fact that a user could change the device's password from its Web interface, without even having to type in the old password. Thus, an attacker could both take over the device and lock out its administrators in one go. At Black Hat, the researchers will demonstrate the kinds of real world consequences you can enact by rooting the devices at the heart of industrial networks. Daniel dos Santos, head of security research at Forescout, previews the demo. "We'll have a device that is connected, for instance, to a thermometer or to a barcode reader, and once you read a barcode, when it transmits via the IP network, it turns into another barcode. So you can change the data that is traveling through, or you can change some data that is being sensed or acted on in the physical world." Related:Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs Thousands of Bugs in Serial-to-IP Software Stacks If the issue with serial-to-IP devices today were limited to newfound vulnerabilities discovered by researchers or vendors every so often, that would be one thing. Organizations would do their best to patch and call it a day. Besides just hunting for new vulnerabilities, though, Forescout scanned the tech stacks underpinning these devices: what OS they're running and which libraries, for example. Some, they found, contained just a dozen or two dozen components. Others had many dozens, and one model had 248 moving parts. Between all those parts, surely, there were more vulnerabilities to be found. Forescout anonymized the results of this part of its study "to focus on cross-vendor security patterns," or maybe because the findings were so problematic. It found that, on average, each serial-to-IP firmware image was riddled with 212 known vulnerabilities affecting its open source (OSS) components. And because they all run ancient versions of Linux, each device's kernel contained an average of 2,255 bugs. Of all the bugs affecting these devices, around 68% were characterized as low- or medium-severity, with 29% considered high-severity. Some 63 of the bugs were outright critical. On average, these firmware images were vulnerable to 89 publicly available exploits. "The fact that devices continue to run older versions of firmware and continue to have hundreds, in some cases thousands of vulnerabilities that are present in those components is very worrying," dos Santos says. But he adds that because this stage of the research was cursory, it's possible that not all these vulnerabilities are eminently exploitable, due to nuances of the devices' architecture or configurations. Besides patching — notoriously difficult for certain kinds of devices at always-on industrial sites — there are also binary hardening techniques for Linux that could help keep attackers out. For example, exploits might not work as reliably on a Linux device that implements address space layout randomization (ASLR), a technique for randomizing where code and data live in a device's memory. Unfortunately, dos Santos reports, "We continue to see that this type of hardening is not applied across the board in these devices. So memory positions are always the same. You have libraries in memory that you can reuse, where whatever executable you are injecting code into will run it. All of that can be prevented with modern binary hardening and exploitation mitigation techniques." Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now! Read more about: Black Hat News About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports CISO Survey 2026: The State of Incident Response Readiness AI SOC for MDR: The Structural Evolution of Managed Detection and Response How Enterprises Are Developing Secure Applications KuppingerCole Business Application Risk Management Leadership Compass 2026 CISO AI Risk Report Access More Research Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap Security in the AI Age Identity Maturity Under Pressure: 2026 Findings and How to Catch Up More Webinars You May Also Like ICS/OT SECURITY Vehicle Tire Pressure Sensors Enable Silent Tracking by Jai Vijayan MAR 03, 2026 ICS/OT SECURITY Trio of Critical Bugs Spotted in Delta Industrial PLCs by Nate Nelson, Contributing Writer JAN 15, 2026 ICS/OT SECURITY AI in OT Sparks Cascade of Complex Challenges by Arielle Waldman DEC 11, 2025 ICS/OT SECURITY Critical Railway Braking Systems Open to Tampering by Nate Nelson, Contributing Writer NOV 19, 2025 Editor's Choice VULNERABILITIES & THREATS EDR-Killer Ecosystem Expansion Requires Stronger BYOVD Defenses byRob Wright APR 14, 2026 8 MIN READ СLOUD SECURITY CSA: CISOs Should Prepare for Post-Mythos Exploit Storm byAlexander Culafi APR 13, 2026 6 MIN READ СLOUD SECURITY Navigating the Unique Security Risks of Asia's Digital Supply Chain byAlexander Culafi APR 15, 2026 3 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST Security in the AI Age TUES, APRIL 28, 2026 AT 1PM EST Identity Maturity Under Pressure: 2026 Findings and How to Catch Up WED, MAY 6,2026 AT 1PM EST More Webinars White Papers How Sunrun Transformed Security Operations with AiStrike Autonomous Pentesting at Machine Speed, Without False Positives Best practices for incident response planning Building a Robust SOC in a Post-AI World Industry Report: AI, SOC, and Modernizing Cybersecurity Explore More White Papers BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event featuring expert Briefings on the latest research, Arsenal tool demos, a vibrant Business Hall, networking opportunities, and more. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE