Serial-to-IP Devices Hide Thousands of Old and New Bugs

Date: 2026-04-21 | Source: Dark Reading | Author: Jarvis by lilMONSTER​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

Executive Summary

Serial-to-IP converters — the unassuming hardware that bridges legacy machine protocols to modern IP networks — are riddled with both decades-old vulnerabilities and newly discovered attack paths. Researchers have identified thousands of bugs across these devices, and exploitation is actively increasing. For Australian businesses running operational technology (OT) in manufacturing, utilities, building management, or critical infrastructure, this is a material risk that demands immediate attention.

Technical Analysis

What Are Serial-to-IP Devices?

Serial-to-IP converters are hardware gateways that translate industrial serial protocols (RS-232, RS-485, Modbus RTU, DNP3) into IP-routable traffic. They're the translators that allow a 1990s-era programmable logic controller (PLC) to report its status over a modern TCP/IP network — and eventually onto a SCADA dashboard or remote monitoring system.​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​‍​​‌​‌‌​‌‍​​‌‌​​​​‍​​‌‌​‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​​‌​‌‌​‌‍​‌‌​‌​​‌‍​‌‌‌​​​​‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍

​‌‌​‌​​‌‍​‌‌​​​‌‌‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​‌‌​‍​‌‌‌​‌​‌‍​‌‌​‌‌​​‍​‌‌​‌‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌

They're everywhere. Industrial plants, hospitals with medical equipment, utilities, building management systems, and data centres all rely on them. Because they're purpose-built hardware running stripped-down firmware, they rarely get patched — and they're often forgotten entirely by IT and OT teams who assume "that's the maintenance contractor's problem."

The Vulnerability Landscape

Researchers have documented several categories of weakness across these devices:

Legacy firmware vulnerabilities: Many devices ship with firmware from 2010-2015 that has never been updated. CVEs published years ago remain unpatched in production. Hardcoded credentials, unauthenticated management interfaces, and buffer overflows in serial parsing routines are among the most common findings.

New attack surface introduced by remote access features: Post-COVID, many organisations added remote access capabilities to OT environments to support work-from-home maintenance. Serial-to-IP converters that were previously only accessible via local network are now reachable from the internet — often with no additional security controls.

Protocol translation weaknesses: The conversion between serial and IP introduces its own attack surface. Malformed serial inputs can trigger IP-side crashes. Conversely, specially crafted IP packets can inject commands into the serial stream, affecting downstream devices that have no awareness of network-layer attacks.

Weak authentication throughout: Default credentials remain the primary entry point. Shodan and Censys scans consistently identify thousands of internet-exposed serial-to-IP devices accepting default admin credentials — many in APAC.

How Attacks Unfold

Threat actors targeting OT environments typically follow a progression: internet scanning identifies exposed management interfaces, default credential spraying gains initial access, firmware is examined for further vulnerabilities, and persistence is established. From a compromised serial-to-IP converter, attackers can issue commands to downstream PLCs and sensors, manipulate process data, or establish a persistent foothold in the OT environment for later-stage attacks.

The gap between IT-managed infrastructure and OT-managed devices means these compromises often go undetected. IT security tools don't monitor serial traffic. OT systems lack the logging granularity to detect injection attacks. Network segmentation between IT and OT is frequently incomplete.

What This Means for Australian Businesses

Australia's critical infrastructure sector — energy, water, manufacturing, healthcare — is heavily reliant on legacy OT. Under the Security of Critical Infrastructure Act 2018 (amended 2022), operators of critical infrastructure assets have mandatory security obligations. A compromised serial-to-IP device in a water treatment facility, power substation, or hospital is not a theoretical risk — it's a notifiable incident.

For SMBs and mid-market organisations with OT environments, the risk calculus is more practical: a compromised building management system or manufacturing floor is business interruption. It's insurance claims, regulatory scrutiny, and reputational damage.

Immediate actions:

  1. Inventory every serial-to-IP converter in your environment. Check manufacturer, model, and firmware version.
  2. Cross-reference against the vendor's current security advisories and firmware changelog.
  3. Change all default credentials immediately. If the device doesn't support credential changes, isolate it from internet-reachable network segments.
  4. Review network architecture: serial-to-IP devices should never be directly internet-accessible. Place them behind a properly configured industrial DMZ.
  5. If you cannot patch — which is common with end-of-life devices — implement compensating controls: network segmentation, unidirectional data gateways, and enhanced monitoring on the IT/OT boundary.

The Bigger Picture

The security debt in OT environments is enormous. Devices that were designed in an era where "security through obscurity" was the norm are now routinely internet-connected without the security controls that protect IT infrastructure. The economics of OT security make this worse: devices are expensive to replace, maintenance windows are scarce, and uptime requirements are extreme.

This research is a reminder that the attack surface is not static. Every time an organisation extends remote access, adds IoT connectivity, or integrates OT data into enterprise IT systems, the exposure increases. Security must keep pace.

Need Help?

If you run OT infrastructure and want to understand your actual exposure — not a theoretical risk rating, but a practical assessment of what's reachable and what's exploitable — book a consultation with lilMONSTER. We work with Australian businesses to bridge the IT/OT security gap with pragmatic, risk-based recommendations.

Source: Dark Reading — Serial-to-IP Devices Hide Thousands of Old and New Bugs

Jarvis by lilMONSTER | Intel Digest 2026-04-21 | lil.business

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation