Serial-to-IP converters form a central interface in industrial networking. They enable communication between older serial field devices and modern, IP-based networks. This device class is widely deployed in Operational Technology (OT) because it allows the integration of legacy systems into current infrastructures without requiring costly hardware replacement. However, due to their often inconspicuous integration and long operational cycles, they represent a particular risk for network security that frequently falls outside the focus of classical IT security strategies. The magnitude of this problem is illustrated by research findings on the vulnerabilities of these components.
Forescout Vedere Labs has disclosed 22 new vulnerabilities in serial-to-IP converters under the name BRIDGE:BREAK. Affected are devices from the Lantronix EDS series and the Silex SD-330AC, typical bridge devices between old serial industrial technology and modern IP networks. Forescout estimates the global inventory at over ten million devices, a Shodan search lists approximately 20,000 of them openly accessible from the internet.
The discussion around this device class has been ongoing for years. As early as 2018, Bitdefender drew attention in a detailed article to vulnerabilities CVE-2018-8869 and CVE-2018-8865 in a Lantech IDS-2102 pointing out that it had a web interface with insufficient input validation and a classic stack-based buffer overflow in the ser2net configuration. Lantech did not provide a patch at the time, and the manufacturer ended support for the device. BRIDGE:BREAK now shows that the fundamental situation has not changed.
What Serial-to-IP Converters Do and Why They Are Almost Everywhere
A serial-to-IP converter, also known as a serial device server or serial-to-Ethernet adapter, translates data streams between classical serial interfaces such as RS-232, RS-422, or RS-485 and a TCP/IP network. It receives telegrams from an old control system on its serial side and packages them into TCP or UDP packets for the backbone; in the reverse direction, it translates IP traffic back into serial commands for the field device. The device class solves a simple problem: industrial plants, utilities, and hospitals operate with machines that are sometimes twenty or thirty years old and do not have an Ethernet interface. Instead of replacing these machines, which is often technically and financially impossible, operators insert a converter.
The applications span across industry. In substations, converters transmit values from protective relays and remote terminal units to control centers; in water treatment plants, sensor data and pump commands; in production lines, communication with CNC machines and PLC systems; in railway signal technology, telegrams from field devices. In retail, barcode scanners and point-of-sale peripherals are connected to serial adapters; in hospitals, patient monitors, laboratory analyzers, and infusion pump interfaces; in data centers, out-of-band management of switches and UPS systems; at gas stations, level sensors from tank gauges.
What BRIDGE:BREAK Shows Technically
The 22 newly documented vulnerabilities are distributed across three model series: Lantronix EDS3000PS and EDS5000PS as well as Silex SD-330AC. In the EDS5000PS, there are five separate remote code execution vulnerabilities, two of them with a CVSS score of 9.8; three more in the high range with authentication required. In the EDS3000PS, the vulnerability (CVE-2025-70082) also has a CVSS score of 9.8.
In addition, Forescout documents buffer overflows, OS command injection in management functions, arbitrary file upload, authentication bypass, firmware manipulation via hardcoded signature keys, and disclosure of passwords and cryptographic keys through weak encryption. A demonstration at Black Hat Asia 2026 shows the practical consequences. Daniel dos Santos, head of security research at Vedere Labs, places a compromised converter between a thermometer and IP network; the values are altered in transit. In the same setup, a scanned barcode changes into a different character string during transmission, and the application logic does not detect the swap.
Beyond the newly disclosed vulnerabilities, the research provides a second troubling finding. Forescout analyzed the software stacks of the converters and counted an average of 212 known vulnerabilities per firmware image; the Linux kernels of the devices carry on average 2,255 documented bugs in older versions; on average, there are 89 publicly available exploits per firmware image. Address Space Layout Randomization, a standard hardening measure against memory attacks, is completely absent on most devices. This means that the majority of converters in their shipped state operate at a security level that has been outdated on standard Linux servers for over a decade.
Why This Device Class Becomes a Blind Spot
Serial-to-IP converters are small, inconspicuous, and are installed at some point during a modernization project; after connection, they run for years without attention. Classical CMDB entries are often missing; vulnerability scanners for servers do not recognize the firmware; patch pipelines do not capture the devices. There is also a second layer of visibility gap. From publicly available documents, attackers can derive the manufacturer, model, internal IP addresses, and sometimes even photos from real substations or water treatment plants. Attackers combine this OSINT data with targeted Shodan searches and thus find preselected targets without sending a single packet onto the network.