Critical vulneranilities reported in General Industrial Controls Lynx+ gateway

CISA is reporting multiple security vulnerabilities, at least one critical affecting General Industrial Controls' Lynx+ Gateway, an industrial protocol gateway used in manufacturing environments. 

The Lynx+ Gateway connect serial field devices using Modbus RTU/ASCII protocols to Ethernet/Modbus TCP networks in industrial environments. 

Vulnerabilities summary:

• CVE-2025-58083 (CVSS score 9.2): Missing Authentication for Critical Function in the embedded web server enabling attackers to remotely reset the device without authentication, potentially leading to complete administrative takeover.
• CVE-2025-55034 (CVSS score 8.8): Weak Password Requirements vulnerability allowing attackers to execute brute-force attacks resulting in unauthorized access and login to the system.
• CVE-2025-59780 (CVSS score 8.7): Missing Authentication for Critical Function allowing unauthenticated attackers to send GET requests to obtain sensitive device information, including configuration details, usernames, and protocol passwords.
• CVE-2025-62765 (CVSS score 8.7): Cleartext Transmission of Sensitive Information vulnerability permitting attackers to observe network traffic and capture plaintext credentials and other sensitive data.

Affected versions include Version R08, Version V03, Version V05, and Version V18. 

There are no vendor patches available. CISA recommends organizations minimize network exposure, ensure all control system devices are not accessible from the internet and use secure remote access methods such as Virtual Private Networks when remote connectivity is required.