.jpg)
Source: Tony Watson via Alamy Stock Photo
Researchers have identified 20 new vulnerabilities in popular models of serial-to-IP converters — devices that sit at the heart of modern industrial networks. Even more worryingly, the same researchers counted thousands of known vulnerabilities in these very same devices' software stacks.
Complex on the inside, serial-to-IP converters — also known as serial device servers, or serial-to-Ethernet converters — do a relatively straightforward job: they translate the language of old industrial machinery into Internet-speak, and vice versa. It goes without saying just how significant this job is: without it, plant operators wouldn't be able to monitor older machinery from the comfort of their newfangled computers.
It may not come as a surprise, then, that serial-to-IP converters are often a target in major operational technology (OT) cyberattacks. In some of the most significant incidents in history — from the 2015 Ukrainian power grid attack to last year's attack against Poland — serial converters were manipulated in order to cut the line between plant operators and their machines, and delay recovery.
Related:Empty Attestations: OT Lacks the Tools for Cryptographic Readiness
One might imagine that these devices will become less important over time, as industries gradually adopt Internet-age industrial machines and phase out older behemoths. In fact, the opposite is true: industry analysts expect the market to rise continuously, if not double over the coming decade, as the behemoths stay in place, and the need for supervisory control and data acquisition (SCADA) grows in manufacturing, healthcare, and other major sectors.
It could be a problem, then, that serial-to-IP devices are universally built upon outdated libraries and old or even end-of-life operating systems (OS), and that they're buggy to the high heavens. At Black Hat Asia (BHA) 2026, researchers from Forescout will reveal the results of a study of these devices, in which they found nearly two dozen new vulnerabilities in a couple of popular models, and potentially thousands of old vulnerabilities across all major alternatives.
Critical Vulnerabilities in Serial Converters
With a few assumptions along the way, Forescout estimated that there might be more than 10 million serial device servers in the world today. A couple tens of thousands of them are inadvisably discoverable on the open Web.
Forescout's study focused on three popular models of converter from two of the larger vendors in the space: Lantronix's EDS3000PS and EDS5000PS, and Silex's SD330-AC. They found eight previously undisclosed bugs in the Lantronix models, and 12 affecting Silex.
Related:Industrial Controllers Still Vulnerable As Conflicts Move to Cyber
Some of those bugs were quite severe. The EDS5000PS contained five separate remote code execution (RCE) vulnerabilities, two earning "critical" Common Vulnerability Scoring System (CVSS) ratings of 9.8 out of 10, and three more of high severity, limited only by an authentication requirement to exploit. Another 9.8 out of 10 issue in the EDS3000PS, CVE-2025-70082, was even worse: it derived from the simple fact that a user could change the device's password from its Web interface, without even having to type in the old password. Thus, an attacker could both take over the device and lock out its administrators in one go.
At Black Hat, the researchers will demonstrate the kinds of real world consequences you can enact by rooting the devices at the heart of industrial networks. Daniel dos Santos, head of security research at Forescout, previews the demo. "We'll have a device that is connected, for instance, to a thermometer or to a barcode reader, and once you read a barcode, when it transmits via the IP network, it turns into another barcode. So you can change the data that is traveling through, or you can change some data that is being sensed or acted on in the physical world."
Related:Iranian Threat Actors Disrupt US Critical Infrastructure via Exposed PLCs
Thousands of Bugs in Serial-to-IP Software Stacks
If the issue with serial-to-IP devices today were limited to newfound vulnerabilities discovered by researchers or vendors every so often, that would be one thing. Organizations would do their best to patch and call it a day.
Besides just hunting for new vulnerabilities, though, Forescout scanned the tech stacks underpinning these devices: what OS they're running and which libraries, for example. Some, they found, contained just a dozen or two dozen components. Others had many dozens, and one model had 248 moving parts. Between all those parts, surely, there were more vulnerabilities to be found.
Forescout anonymized the results of this part of its study "to focus on cross-vendor security patterns," or maybe because the findings were so problematic. It found that, on average, each serial-to-IP firmware image was riddled with 212 known vulnerabilities affecting its open source (OSS) components. And because they all run ancient versions of Linux, each device's kernel contained an average of 2,255 bugs.
Of all the bugs affecting these devices, around 68% were characterized as low- or medium-severity, with 29% considered high-severity. Some 63 of the bugs were outright critical. On average, these firmware images were vulnerable to 89 publicly available exploits. "The fact that devices continue to run older versions of firmware and continue to have hundreds, in some cases thousands of vulnerabilities that are present in those components is very worrying," dos Santos says. But he adds that because this stage of the research was cursory, it's possible that not all these vulnerabilities are eminently exploitable, due to nuances of the devices' architecture or configurations.
Besides patching — notoriously difficult for certain kinds of devices at always-on industrial sites — there are also binary hardening techniques for Linux that could help keep attackers out. For example, exploits might not work as reliably on a Linux device that implements address space layout randomization (ASLR), a technique for randomizing where code and data live in a device's memory.
Unfortunately, dos Santos reports, "We continue to see that this type of hardening is not applied across the board in these devices. So memory positions are always the same. You have libraries in memory that you can reuse, where whatever executable you are injecting code into will run it. All of that can be prevented with modern binary hardening and exploitation mitigation techniques."
Don't miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here's Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!
.png)
.jpeg)
