TL;DR: On June 23, 2026, CISA added Lantronix EDS5000 serial-to-ethernet converters (CVE-2025-67038, CVSS 9.8) to the Known Exploited Vulnerabilities catalog after confirming active exploitation, and ordered federal civilian agencies to patch by June 26, 2026. The same device class has been weaponized by Russian state-linked groups (Sandworm, Berserk Bear) in disruptive attacks against industrial targets. North Carolina manufacturers that run any serial-to-IP converter on the plant floor should treat this as an emergency: patch to EDS5000 firmware 2.2.0.0R1, segment the device off the business network, and book a plant-floor cybersecurity review.
Key takeaway: "Industrial gateway" devices are often forgotten until they get exploited. CVE-2025-67038 is the reminder that a $700 serial-to-IP converter can become root on your plant network.
Need help locking down a plant-floor OT network this week? Contact Preferred Data Corporation for an OT Cybersecurity Review. Local, BBB A+ since 1987. Call (336) 886-3282.
What is CVE-2025-67038 and why is CISA escalating it now?
CVE-2025-67038 is a critical command injection vulnerability in Lantronix EDS5000 serial-to-ethernet converters with a CVSS score of 9.8, and CISA escalated it on June 23, 2026 because the agency confirmed active exploitation in the wild. CISA added the flaw to the Known Exploited Vulnerabilities (KEV) catalog the same day, with a federal patch deadline of June 26, 2026.
The vulnerability lives in the device's HTTP RPC module, which fails to sanitize the username parameter before concatenating it into a shell command for failed-login logging. An unauthenticated attacker can send a crafted login attempt and execute arbitrary OS commands with root privileges, full control over the device, with no credentials required. Lantronix has released firmware version 2.2.0.0R1, which fixes the issue.
The device class matters as much as the bug. Lantronix EDS5000 units are widely deployed serial-to-ethernet converters used to bridge legacy plant-floor equipment (PLCs, sensors, meters, scales, label printers, time clocks) onto IP networks. They are the connective tissue of "modernized" factories, and they are routinely installed once and never patched.
Reporting and analysis: The Hacker News, Security Affairs, Security Online, BleepingComputer, and Dataminr Cyber Intel Brief.
Why does this matter for North Carolina manufacturers specifically?
This matters for North Carolina manufacturers because the EDS5000 device class is exactly the kind of "set and forget" industrial gateway that lives on plant networks across the Piedmont Triad, and the same device family has previously been weaponized by Russian state-linked actors (Sandworm and Berserk Bear) to disrupt power infrastructure in Ukraine and industrial entities in Poland.
The threat model for an NC machine shop, packaging plant, or furniture maker is more pragmatic than nation-state targeting: criminal ransomware operators systematically scan KEV-listed devices for low-cost initial access. When they find an unpatched EDS5000 reachable from the internet (or pivotable from a compromised office PC), it becomes a foothold on the plant network, a stepping stone to file shares, ERP, and PLCs.
Three concrete consequences for a Piedmont Triad manufacturer:
- Production halt. A compromised serial gateway can be wedged or used to interfere with PLC communications, halting a line and triggering hours of downtime.
- Ransomware on the plant. Plant-floor disruption costs more per hour than office disruption; many ransomware groups now prioritize OT-connected targets for exactly that pressure.
- Customer audit failure. OEM customers and primes increasingly audit suppliers for OT cyber hygiene; an unpatched KEV-listed device on a Tier-2 supplier's network is a finding that affects future contracts.
What does the CISA KEV catalog mean for a small manufacturer?
The CISA KEV catalog is the federal government's curated list of vulnerabilities that are demonstrably under active exploitation, and while BOD 22-01 legally binds only federal civilian agencies, the catalog has become the de facto patching priority list for the private sector. Cyber insurers, customer security questionnaires, and DoD subcontractor flow-downs increasingly reference KEV.
For a small NC manufacturer, the practical translation is:
| Audience | What KEV listing means |
|---|---|
| Cyber insurance underwriter | Unpatched KEVs = denied claim or higher premium |
| OEM customer security questionnaire | Unpatched KEVs = supplier disqualified |
| CMMC assessor | Unpatched KEVs in scope = finding |
| Ransomware operator | KEV = "scan-and-exploit" target list |
So even though CISA's June 26, 2026 deadline applies to federal agencies, treating it as your deadline is the right business decision.
Key takeaway: KEV is not a federal-only problem. It is the working priority list for both attackers and your customers' auditors.
Want a vulnerability and patch posture review against KEV? Explore Preferred Data Cybersecurity services or call (336) 886-3282.
How does a North Carolina manufacturer fix this in 72 hours?
A North Carolina manufacturer can address CVE-2025-67038 in 72 hours by inventorying every Lantronix EDS5000 (and the broader serial-to-IP gateway fleet), patching to firmware 2.2.0.0R1, removing internet exposure, and segmenting the devices off the business network. Even if you have not touched these devices in years, the work is concrete and finite.
A 7-step emergency plan:
- Inventory. Pull every serial-to-IP converter on every plant network. Lantronix EDS5000, EDS3000, EDS-MD, and similar gateways from other vendors all deserve a look.
- Confirm firmware. Log into each device, capture the firmware version, and compare against the vendor's fixed release (2.2.0.0R1 for EDS5000).
- Patch. Schedule the patch during a planned line stop. Test on a low-criticality device first.
- Remove WAN exposure. No industrial gateway should be reachable from the public internet. Period. If remote access is required, route through a VPN or a managed remote access tool with MFA.
- Segment. Put OT gateways on a dedicated VLAN with strict firewall rules to the IT side. A flat network turns one compromised device into a full breach.
- Log and alert. Forward authentication and admin events to your SIEM or managed detection partner.
- Document. Capture inventory, patch evidence, and segmentation diagrams for your insurer, customer auditors, and CMMC files.
Most NC manufacturers we work with can complete steps 1-5 inside a single weekend if they have a partner who knows plant-floor cabling and PLC dependencies. The reason it usually slips is uncertainty about which devices can be safely rebooted; that uncertainty is solved by experience, not by reading another vendor PDF.
Want this run end-to-end by people who have done it before? Schedule an OT Cybersecurity Review or call (336) 886-3282.
What broader OT hygiene does this incident reinforce?
This incident reinforces the broader OT hygiene principles every NC manufacturer should already be running: an authoritative OT asset inventory, segmentation between IT and OT, controlled remote access, monitoring at the IT/OT boundary, and a patch cadence that includes industrial devices, not just office IT. Cordon-and-clean fixes patch one CVE; durable OT hygiene survives the next one.
Five durable controls that would have blunted CVE-2025-67038 even before the patch was available:
- OT asset inventory. You cannot patch what you do not know you own. Quarterly audits, not annual.
- Network segmentation. A compromised serial gateway should not reach domain controllers or ERP.
- No direct internet. Industrial devices behind a NAT/firewall, no exceptions; remote access through a brokered, MFA-protected gateway.
- Out-of-band monitoring. Span port or TAP on the OT side, feeding an IDS that knows ICS protocols.
- Vendor patch SLAs. Pin your industrial vendors to written patch SLAs and KEV alignment as a procurement requirement.
The Dragos 2026 OT report and CISA's repeated advisories make the same point: most OT incidents start as ordinary IT exploitation that crosses into a flat OT network. The fix is mostly architectural.
What about other devices CISA added the same day?
On June 23, 2026, CISA added four vulnerabilities to the KEV catalog: the Lantronix EDS5000 flaw and three Ubiquiti UniFi OS vulnerabilities (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910). A North Carolina SMB running either device family should treat all four as same-week work. We covered the Ubiquiti UniFi OS CVE-2026-34908 KEV listing separately; this post focuses on the OT-side risk.
Frequently Asked Questions
How do I know if my factory uses a Lantronix EDS5000?
You can confirm by walking your plant network, looking for serial-to-ethernet converters, and checking the device label or web UI for "Lantronix EDS5000." If you do not have a maintained inventory of plant-floor IP devices, treat that as the more urgent problem; a manageable inventory is the foundation of OT cybersecurity. An OT Cybersecurity Review typically produces this inventory in a single visit.
My EDS5000 is on a private network, am I safe?
You are safer, but not safe. Most OT compromises start on the IT side (phishing, stolen credentials, ransomware) and pivot to OT through a flat network or a poorly segmented VLAN. Patch the device anyway, and use this as the catalyst to enforce segmentation between IT and OT.
What if patching will halt production?
That is exactly why you plan it during a scheduled line stop and test on the lowest-criticality device first. A planned 15-minute reboot in a controlled window is dramatically cheaper than an unplanned 48-hour ransomware halt. We help NC manufacturers sequence patches around production calendars so you do not have to choose.
Does this affect CMMC or DoD subcontractor compliance?
If the device touches Controlled Unclassified Information (CUI) or sits in a CUI enclave, unpatched KEVs are an assessment finding. Even if it does not, a documented unpatched KEV is a red flag in any DoD prime's supplier risk review. Preferred Data combines CMMC-aligned cybersecurity with the OT work that makes the controls real.
My MSP says the device is "managed"; should I still ask about this CVE?
Yes. Ask your MSP three direct questions: (1) is this device in the inventory you maintain for us, (2) what firmware version is on it today, and (3) when will you apply 2.2.0.0R1. If you get anything less than a firm answer with a date, escalate.
How is Preferred Data different from a generic IT MSP?
Preferred Data is a High Point, NC firm founded in 1987 with 37+ years of IT experience, a 20+ year average client tenure, and on-site reach within 200 miles of High Point. We pair managed IT and cybersecurity with deep manufacturing experience and OT/IT integration because most local MSPs do not have anyone who has actually worked a plant-floor cabling problem.