Hackers are exploiting flaws faster than companies can disclose them

Hackers are working so quickly that they're managing to exploit flaws after they’ve been patched, but before being publicly disclosed.

That's according to a report from Forescout Research's Vedere Labs, which spotted the pattern while analysing a flaw spotted in Lantronix devices.

Back in April, Vedere published details about a set of vulnerabilities spotted in Lantronix and Silex serial-to-IP converters.

More recently, the research lab reviewed its logs, spotting that one of the flaws had been exploited on one of its honeypots – two weeks before the blog post detailing the vulnerabilities had been posted.

Latest Videos From

Watch full video here:

"That was before we published our report but after the vulnerability was patched by Lantronix," Vedere labs noted in a blog post. "This means the attackers did not use information from our report, but may have reverse-engineered the patch to build an exploit."

The flaw in question (CVE-2025-67038) is an unauthenticated OS command injection vulnerability that affected Lantroniz EDS5000 series converters, which are built on Linux-based OpenWRT and use a web interface called LuCL.

OpenWRT and LuCL are both popular software in routers and other networking devices.

A host of vulnerabilities in both have been identified in the past, and more are being found "at an alarming rate”, the company said.

Researchers spotted more than 4,100 brute force login attempts against devices running OpenWRT in the first half of this year in addition to the attack that made use of the exploit.

Speedy attacks

Vedere Labs noted that the vulnerabilities that have public proof of concepts (PoC) are usually integrated quickly into botnets, but this instance happened before the details were published.

"It is concerning that a vulnerability on a specific serial-to-IP converter, without a public PoC and full details, was seen exploited on a random honeypot so quickly after it was fixed," the research lab said.

"Vulnerabilities with public PoCs are integrated into botnets fast, but the behavior observed from Chaya_006 was not compatible with a typical botnet or vulnerability scanner."

Vedere added that, beyond speed, it was alarming that attackers were brute forcing devices running LuCL on OpenWRT.

"We observe thousands of brute force attempts over SSH, Telnet and other standard protocols every day, but brute forcing specific parameters of a web application is less common," the post said. "It requires specialized scripts and an intent to target a specific type of device."

The attacks largely originated in Asia and made use of automation. The exploit in question was part of a wider cluster of activity that focused on Lantronix and included other information gathering activities. Vedere has dubbed it Chaya_006.

What should companies do?

As ever, Vedere Labs advised companies to get patching, ensure all software is up to date, and upgrade other devices running OpenWRT on networks to the latest versions of the firmware.

The company noted that Lantronix released two firmware updates earlier this year, and its honeypot that was exploited was not running those patches.

Beyond that, Vedere advised replacing default credentials, banning weak passwords, and monitoring for exploit attempts of serial-to-IP converters and other edge devices running OpenWRT.

"Segment networks to prevent threat actors from reaching vulnerable devices, such as serial-to-IP converters, or using them to compromise other critical assets," Vedere added.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.