Skip to content

Serial-to-IP Converters as a Security Risk for IT and OT

Serial-to-IP converters form a central interface in industrial networking. They enable communication between older serial field devices and modern, IP-based networks. This device class is widely distributed in Operational Technology (OT) since it permits the integration of legacy systems into current infrastructure without requiring costly hardware replacement. Due to their often inconspicuous integration and long operational cycles, however, they pose a particular risk to network security that frequently lies outside the focus of classical IT security strategies. The scope of this problem is illustrated by research findings on the vulnerability of these components.

Forescout Vedere Labs has disclosed 22 new vulnerabilities in serial-to-IP converters under the name BRIDGE:BREAK, published in their report. Affected are devices from the Lantronix EDS series and the Silex SD-330AC, typical bridge devices between older serial industrial technology and modern IP networks. Forescout estimates the global installed base at over ten million devices; a Shodan search lists nearly 20,000 of them openly accessible from the internet.

Discussion of this device class has been ongoing for years. Already in 2018, Bitdefender had drawn attention in a detailed article to the vulnerabilities CVE-2018-8869 and CVE-2018-8865 in a Lantech IDS-2102, highlighting flaws that included a web interface with insufficient input validation and a classic stack-based buffer overflow in the ser2net configuration. Lantech provided no patch at that time; the manufacturer ended support for the device. BRIDGE:BREAK now shows that the fundamental situation has not changed.

What Serial-to-IP Converters Do and Why They Are Everywhere

A serial-to-IP converter, also known as a Serial Device Server or Serial-to-Ethernet Adapter, translates data streams between classic serial interfaces such as RS-232, RS-422, or RS-485 and a TCP/IP network. It receives telegrams from an old controller at its serial port and packs them into TCP or UDP packets for the backbone; in the reverse direction it translates IP traffic back into serial commands for the field device. The device class solves a simple problem: industrial plants, utilities, and hospitals operate with machines that are sometimes twenty or thirty years old and do not have an Ethernet interface. Rather than replacing these machines, which is often technically and financially impossible, operators insert a converter.

Applications span across the industry. In power substations, converters transmit values from protective relays and remote terminal units to control centers; in water treatment plants they transport sensor data and pump commands; in production lines they handle communication with CNC machines and PLC systems; in railway signaling technology they relay telegrams from trackside field devices. In retail, barcode scanners and checkout peripherals hang on serial adapters; in hospitals, patient monitors, laboratory analyzers, and infusion pump interfaces; in data centers, out-of-band management of switches and UPS systems; at gas stations, level sensors from tank gauges.

What BRIDGE:BREAK Shows Technically

The 22 newly documented vulnerabilities are distributed across three model series: Lantronix EDS3000PS and EDS5000PS as well as Silex SD-330AC. The EDS5000PS contains five separate Remote Code Execution flaws, two with a CVSS score of 9.8, three additional ones in the high range requiring authentication. The EDS3000PS also has a vulnerability (CVE-2025-70082) with a CVSS score of 9.8.

Beyond this, Forescout documents buffer overflows, OS command injection in management functions, arbitrary file upload, authentication bypass, firmware manipulation via hardcoded signature keys, and exposure of passwords and cryptographic keys through weak encryption. A demonstration at Black Hat Asia 2026 shows the practical consequences. Daniel dos Santos, head of security research at Vedere Labs, inserts a compromised converter between a thermometer and the IP network; the values are altered in transit. In the same setup, a scanned barcode changes to a different character sequence during transmission—the application logic does not detect the switch.

Beyond the newly disclosed vulnerabilities, the research delivers a second alarming finding. Forescout analyzed the software stacks of the converters and counted an average of 212 known vulnerabilities per firmware image; the Linux kernels in the devices carry an average of 2,255 documented bugs in older versions; on average there are 89 publicly available exploits per firmware image. Address Space Layout Randomization, a standard hardening measure against memory attacks, is completely absent on most devices. This means that a large share of converters leave the factory at a security level that has been superseded on standard Linux servers for over a decade.

Why This Device Class Becomes a Blind Spot

Serial-to-IP converters are small, inconspicuous, and get installed in the course of a modernization project, after which they run for years without attention. Classic CMDB entries are often missing, vulnerability scanners for servers do not know their firmware, patch pipelines do not capture the devices. There is a second layer to this visibility gap. From publicly available documents, attackers can derive the manufacturer, model, internal IP addresses, and sometimes even photos from real power substations or water treatment plants. Attackers combine this OSINT data with targeted searches via Shodan and find preselected targets this way, without sending a single packet to the network.

Share on: