Today, CISA announced that they added a code injection vulnerability in the Lantronix EDS5000 Serial-to-Ethernet Converters to their Known Exploited Vulnerabilities (KEV) catalog. The vulnerability was previously disclosed by Lantronix. The vulnerability was originally reported by Forescout as part of their Bridge:Break report; that report included proof-of-concept code for the vulnerability.
CISA has directed federal agencies using the Lantronix EDS5000 product to apply mitigations in accordance with vendor instructions, ensuring compliance with CISA’s BOD 26-04 Prioritizing Security Updates Based on Risk guidance and CISA’s “Forensics Triage Requirements”. Follow applicable BOD 26-04 guidance for cloud services or discontinue use of the product if mitigations are unavailable. Stakeholders are responsible for evaluating each asset's internet exposure and ensuring adherence to BOD 26-04 patching guidelines. CISA established a compliance date of June 26th, 2026.
Serial Port Servers are the bastard step-children of the OT business.
ReplyDeleteThey are meant to be physically durable, electrically durable, easy to configure, inexpensive... but security is an afterthought. This issue hasn't improved much since the Russian attack against Ukraine's grid in 2015, despite serial port servers being one of the primary attack vectors used by Russia.
I don't know what it will take to get the vendors and the users to be more serious about serial port cybersecurity. We already know the consequences of ignoring such security. And yet...