CISA adds CVE-2025-67038 to KEV after April honeypot hits on patched Lantronix EDS5000

Forescout observed targeted exploitation in an EDS5000 honeypot on April 5, days after Lantronix issued a patch but before public BRIDGE:BREAK disclosure. Activity included device-specific fingerprinting and automated command injection testing inconsistent with generic botnets or mass scanners, indicating actors reverse-engineered the fix. ZoomEye data shows thousands of exposed Lantronix devices, predominantly in the United States, though exact vulnerable EDS5000 counts remain unquantified.

The vulnerability enables full device compromise as an initial foothold for lateral movement, C2 establishment, data exfiltration, and configuration tampering across OT networks. This aligns with BRIDGE:BREAK demonstrations of sensor data manipulation in industrial and healthcare settings to mask hazards or trigger disruptions. Official CISA guidance mandates federal remediation by June 26, yet no public incident reports specify victim sectors or confirm independent technical attribution beyond honeypot telemetry.

Procurement records and job postings for serial-to-IP gateways in utilities and manufacturing reveal persistent exposure patterns that predate the April activity. The absence of Lantronix public response and limited post-KEV telemetry suggest underreporting of OT impacts on supply-chain-adjacent infrastructure.

Unpatched internet-exposed devices will likely see continued targeted probing; defenders should correlate EDS5000 logs against known malicious username payloads and restrict serial-to-IP exposure via network segmentation.