CISA Confirms Active Exploitation of CVE-2025-67038 in Lantronix EDS5000 Serial Converters

The flaw resides in the unauthenticated HTTP RPC logging path where the username parameter is concatenated directly into a root shell command. Forescout disclosed the issue in April 2026 as part of the BRIDGE:BREAK cluster affecting multiple serial-to-Ethernet converters. Procurement records show EDS5000 units remain common in utility SCADA, manufacturing PLC uplinks, and building management systems where patching cycles exceed 18 months.

CISA's directive to FCEB agencies by 26 June 2026 is narrower than the exposure surface. No independent telemetry has attributed the observed exploitation to a named actor, yet the devices sit at the exact perimeter where IT and OT networks converge. This mirrors the recent Ubiquiti UniFi chain (CVE-2026-34908/09/10) that Defused Cyber observed delivering commodity loaders into centrally managed infrastructure.

Serial converters have received less scrutiny than firewalls or HMIs despite equivalent root access and minimal logging. Contract awards for Lantronix and Silex hardware continue without updated SBOM requirements, leaving the same code paths open across vendors. The pattern indicates adversaries are prioritizing low-visibility edge devices that survive standard network segmentation.

Next milestones include public release of the Forescout BRIDGE:BREAK exploit modules and any new CVE entries for remaining affected firmware versions. Agencies that delay beyond the CISA deadline will extend the window for lateral movement into downstream control systems.