Lantronix Advanced Console Manager Software Release Notes Version 9.7.0.2 May 27, 2026 Copyright 2026, Lantronix Release notes are also available on the Lantronix web site (www.lantronix.com) and via anonymous FTP from ftp.lantronix.com. Contact Lantronix or your reseller for more information. This document describes the Lantronix SLC firmware release 9.7.0.2. =============== RELEASE SUMMARY =============== Current release: 9.7.0.2 ============================= ADDITIONAL PRODUCTS SUPPORTED ============================= V9.7.0.2 supports the SLC8008, SLC8016, SLC8024, SLC8032, SLC8040 and SLC8048 Advanced Console Managers. ================= FIRMWARE RELEASES ================= file: slcupdate-9.7.0.2R1.tgz key: 6f0f23d7709494a6404c5096a80ccba4 Do not rename the firmware file - it must retain the same filename in order for the firmware upgrade to complete successfully. The firmware can be updated via either the 'Firmware & Configurations' web page, or with the 'admin ftp' and 'admin firmware' CLI commands. Updating firmware via tftp does not use the FTP login, password, or path settings. The firmware update will be applied to the alternate boot bank. Downgrading firmware versions is not supported. For older firmware versions, firmware must first be updated to 8.4.0.0R6, and then updated to 9.0.0.0R4, before updating to a more recent firmware version. To ensure system stability, it is recommended that firmware updates be performed incrementally; avoid skipping more than three major releases at once. ===== NOTES ===== - The Percepxion client is now enabled by default. If a factory default is performed and the Percepxion client was not previously enabled, after reboot it will be enabled and actively trying to connect to Percepxion. - The minimum LPM (Lantronix Provisioning Manager) version required for the SLC 9.7.0.2 firmware release is 7.2.4. - For G52x devices used as fail-over devices with the SLC, the minimum required firmware version for the G52x device is 2.1.0.0. G52x devices running 2.4 firmware version and later require the user to change the password upon first login after first boot or factory reset (this may affect connectivity with the SLC until the password has been updated and configured on the SLC). ============ NEW FEATURES ============ ========= BUG FIXES ========= - Security Vulnerabilities Some security vulnerabilities have been addressed. - Percepxion Configuration Version The Configuration Version field now displays correctly in the Percepxion configuration editor (device detail view), and configuration updates from the Percepxion Explore tab now propagate the configuration version to the device. ========== KNOWN BUGS ========== - When executing the perfmon restart CLI command with a probe name that contains a hyphen, the hyphen will be interpreted as a possible range of probe ids, and produce an invalid error. For example: [slc0871]> set perfmon state tcpconn3922-6-ll action restart Invalid state: tcpconn3922-6-ll (please specify a comma-separated list, eg, '1-4,6,11-12'). - When using SCP with some hosts, special characters in the password may need to be escaped - preceeded by a backslash - in order to successfully authenticate. Special characters requiring backslash include $ and @. For example, if the password is "HyD00b$Q@", in order to successfully authenticate the $ and @ must be escaped, eg "HyD00b\$Q\@". - Uploading LDAP certificates via the web, then deleting the certificates and uploading the same set of files via the web a second time can result in a "processing upload file header" error. A workaround is to use the same set of files but rename each file with a new name. This will be fixed in an upcoming release. - Changing the source IP address for DNS, TACACS and Remote Syslog from a value other than "none" to any other value requires that a NAT timeout expire in the firewall rules before the change can take effect. This means that no traffic that matches the firewall rule can be sent from the SLC for approximately a minute. This allows the subsystem that matches packets with rules to restart with a new rule. For example, to change the Remote Syslog source IP address from one value to another: - remove (unconfigure) Remote Syslog servers and set all Remote Syslog source IP address options to "None" (this halts all outbound Remote Syslog packets) - wait approximately one minute - reconfigure the Remote Syslog servers and source IP address options to the new desired values - In certain configurations, SNMP enterprise traps may use the physical Eth1 or Eth2 IPv6 address as the source IP address instead of a configured IPv6 source address. - When configuring the HSPA+ Gateway from the SLC, connectivity issues between the SLC and the gateway may cause the HSPA+ configuration on the SLC and the configuration on the HSPA+ to become out of sync, and indicate that the configuration was successful when it actually failed. The workaround is to reissue/reapply the gateway configuration from the SLC. A reboot or power cycle of the HSPA+ gateway may also be required. - CLI "show routing" and "diag" commands may hang waiting for user input After issuing the CLI command "show routing" or "diag" commands "arp", "arp6", "lookup", "netstat", "nettrace" or "ping", the CLI may hang waiting for user input when the output from the command would normally be displayed. Pressing any key repeatedly will cause the output to be displayed. ==================== DOCUMENTATION ERRATA ==================== ================= PREVIOUS RELEASES ================= [ 9.7.0.1 NEW FEATURES ] - IPv6 Support in Performance Monitoring Support for IPv6 in the ICMP Echo (ping), UDP Echo, TCP Connect, DNS Lookup and HTTP Get probes has been added. [ 9.7.0.2 NEW FEATURES ] - Network Failover/Failback Enhancements Failover/Failback now supports IPv6 addresses for the failover gateway and the failover ping IP address. - Firmware Update Enhancements Firmware update methods now support IPv6 addresses for FTP and SFTP servers. Source IP address selection has been added for firmware updates via FTP and SFTP. This selection feature is available only for firmware update methods FTP and SFTP. Firmware updates now support using Virtual Interfaces as the source IP address. - The status for NTP now displays the uptime of the NTP application. - The online help for scripts has been updated with examples of how to send SNMP traps and emails from a script. - Changes to CLI syntax: o added srcipaddr and srcipv6addr options to "admin firmware update" [ 9.7.0.0 BUG FIXES ] - The # character is now allowed in TACACS+ secrets. - The SSH subsystem has been updated to address security vulnerabilities, including CVE-2025-26465 and CVE-2025-26466. - Periodically WebSSH and WebTelnet (to the CLI or device ports) could not be opened. This has been fixed with a watchdog that restarts the server. [ 9.6.0.0 NEW FEATURES ] - Percepxion Web Connect Connecting to the SLC Web UI through Percepxion via the "Web" button for a device is now supported. Remote web UI sessions to devices on the same subnet as the SLC can also be opened (see the Connect tab under SLC details in Percepxion). A maximum of 10 web connections can be created under the Connect tab, but only 3 connections can be enabled at a time. See Percepxion online help for more information on this feature. - Filtering (Grep) Functionality for CLI show commands Support for filtering CLI show command output has been added. Filtering can include or exclude patterns, and use regular expressions to match patterns. See "help command line" for more information. - Ansible Interoperability Tips for Ansible interoperability have been added to the Web online help. - Failover/Failback Statistics Display of network failover and failback statistics is now available - the display shows the number of failover and failback events, and the time of the last failover and failback event. - SSH ECDSA Public Keys Support for SSH ECDSA public keys has been added. Subsections of the CLI help for "set sshkey" and "show sshkey" can be viewed instead of the full help text: "help set/show sshkey import", "help set/show sshkey export", "help set/show sshkey server". - SSH Server Algorithm Selection Individual SSH server ciphers, MACs, KEX algorithms and host key algorithms can be enabled or disabled, for additional security. When upgrading to this firmware version the current configuration will be converted to the appropriate individual algorithm selection based on the current SHA2 and Higher, NIST Algorithms and RSA Host Key Algorithms settings. - Web Server TLS Cipher Selection Individual web server TLS cipher suites can be enabled or disabled, for additional security. When upgrading to this firmware version the current configuration will be converted to the appropriate individual cipher selection based on the current Cipher and Use only SHA2 and Higher Ciphers setting. Note: TLSv1.3 ciphers cannot be disabled; all TLSv1.3 ciphers should be enabled to be compliant with the TLSv1.3 protocol. - NTP Authentication Any of the NTP local servers can be configured to use NTP Authentication to verify that the local server is known and trusted. The NTP packets are authenticated with symmetric key authentication. See the online help for more information. - APC7900B PDU The APC7900B Switched Rack PDU can now be managed via the Outlets web page the "set power" CLI command, and Percepxion. The PDU can be connected to either RJ45 serial or USB serial ports. - CLI help for "set network" and "show network" Subsections of the CLI help for "set network" and "show network" can be viewed, instead of the full help text: "help set/show network gateway", "help set/show network dns" and "help set/show network host". - Auto Reboot after Kernel Panic and Hardware Watchdog The SLC will now automatically reboot after a kernel panic, to minimize device downtime. This behavior is configurable with the Panic Reboot option on the Maintenance web page and the CLI "admin firmware panicreboot" command. By default, this feature is enabled. It is possible for a SLC shutdown to generate a RCU stall (panic) as the CPU has been stopped, and this in turn may cause the SLC to automatically reboot if Panic Reboot is enabled. Support for a hardware watchdog has been added to automatically reset the SLC if the system locks up. This behavior is configurable with the Hardware Watchdog option on the Maintenance web page and the CLI "admin firmware hwwatchdog" command. By default, this feature is enabled. - FIPS Mode FIPS mode is supported. SSH server algorithms and web TLS ciphers cannot be changed in FIPS mode (the algorithms and ciphers are configured for FIPS approved algorithms and ciphers). - Changes to CLI syntax: o added type option to "set sshkey export" o added ciphers option to "admin web" o added sshalgorithms option to "set services" o added localserverid, keyindex, hash and localserverkey options to "set ntp" o renamed "show services" option viewcipherlist to viewalgorithms o removed sha2 and cipher options from "admin web" o removed sha2, nist and rsahostkeys options from "set services" o added panicreboot and hwwatchdog options to "admin firmware" o added dmesg option to "admin clear" [ 9.6.0.0 BUG FIXES ] - Added kernel preemption to avoid RCU stalls. - SSH (including WebSSH) to device ports with authentication disabled fails to connect. [ 9.5.0.1 NEW FEATURES ] - Auto Reboot after Kernel Panic The SLC will now automatically reboot after a kernel panic, to minimize device downtime. This behavior is configurable with the Panic Reboot option on the Maintenance web page and the CLI "admin firmware panicreboot" command. - Changes to CLI syntax: o added panicreboot option to "admin firmware" [ 9.5.0.0 NEW FEATURES ] - SLC Network Outputs in CSV Format The CLI "show slcnetwork" command now has options to output the list of devices found in CSV format or without any extra space padding - Console Port Disable Feature The console port can now be disabled - messages will be output during the boot process, but login to the CLI will not be available. - IPv6 Firewall Support Support for IPv6 addresses in IP Filter has been added. - Additional NTP Servers Support for three additional NTP local servers has been added (for a total of six NTP local servers). - Additional DNS Servers Support for 6 additional DNS servers has been added (for a total of 10). - Auto-refresh of Device Port Counters and Status in the Web UI The global Device Port settings now have an Auto-refresh Port Counters option to enable auto-refresh of port status and counters in the Device Port Settings web page. - Changes to CLI syntax: o added format option to "show slcnetwork" o added access option to "set consoleport" o added localserver4, localserver5 and localserver6 options to "set ntp" o added autorefreshcounters option to "set deviceport global" [ 9.5.0.0 BUG FIXES ] - The SSH subsystem has been updated to address security vulnerabilities, including CVE-2024-6387. [ 9.4.0.2 BUG FIXES ] - SSH Terrapin Vulnerability The ChaCha20-Poly1305 cipher has been disabled to fix SSH terrapin vulnerability CVE-2023-48795. - LDAP SSL Authentication + SSH The SSH upgrade in firmware version 9.3.0.0 broke LDAP/SSL authentication with SSH connections; this has been fixed in this release. [ 9.4.0.1 BUG FIXES ] - Percepxion Cloud Host Auto-Updated In a previous release the configured Percepxion Cloud Host was auto-updated from api.consoleflow.com to api.percepxion.ai during firmware update. This could break connectivity for some ConsoleFlow customers. The auto-update of the Cloud Host has been removed. [ 9.4.0.0 NEW FEATURES ] - Integrated PDU Support The SLC supports an integrated external PDU to manage power for devices that may (or may not be) connected to the console manager via a serial port. See Devices -> Outlets online help for more information. - SSH Upgrade The SSH server and client applications have been upgraded to include the latest vulnerability fixes. - FTP Server OTP Option A One Time Login/Password option has been added to the Maintenance web UI and "admin config" and "admin firmware" CLI commands to bypass saving the FTP/SFTP/TFTP server login and password. This is useful in scenarios where an OTP token is used to perform a firmware update or configuration save or restore. - FIPS Mode FIPS mode is deprecated and cannot be enabled. - Changes to CLI syntax: o added "set power" and "show power" o added "set px" and "show px" o added onetimepassword option to "admin firmware", "admin config save" and "admin config restore" [ 9.4.0.0 BUG FIXES ] - Web UI Field Validation for Security Vulnerability The character validation in some web UI fields has been updated to protect against security (command injection) vulnerabilities. An authenticated user could exploit this vulnerability by entering arbitrary commands in fields that do not validate the user input. A successful exploit could allow the attacker to execute arbitrary commands on the SLC. It is possible that previously configured settings entered via the web UI will no longer be valid after updating to this firmware version. [ 9.3.0.0 NEW FEATURES ] - SSH Out to IPv6 Addresses SSH out from the CLI to IPv6 addresses and hostnames that resolve to IPv6 addresses is now supported. - Protocol Source IP Address Selection The source IP address selection for Syslog, DNS, NTP, TACACS+, and SNMP have been expanded to include IPv4 and IPv6 addresses for both physical interfaces (Eth1 and Eth2), as well as IPv4 and IPv6 addresses for both virtual interfaces (VEth1 and VEth2). - IPv6 Static Routing IPv6 static routes can now be configured. Link local IPv6 gateways require that a scope identifier be specified for the gateway. - SSH Upgrade The SSH server and client applications have been upgraded to include the latest vulnerability fixes. - LCD Reboot to Alternate Bank The LCD now supports a feature that allows the user to reboot to the alternate boot bank. - FIPS Mode FIPS mode is still supported, however this feature is now deprecated. - Changes to CLI syntax: o added auto option to "admin sysinfo" o added "eth1" and "eth2" to "set network dnssrcipaddr" and "set snmp trapsrcipaddr" options o added srcipv6addr option to "set tacacs+" o added srcipv6addr option to "set ntp" o added trapsrcipv6addr option to "set snmp" o added dnssrcipv6addr option to "set network" o added syslogsrcipaddr and syslogsrcipv6addr options to "set services" o added ipv6route option to "set routing" o added veth1 and veth2 to "diag ping ethport" and "diag ping6 ethport" options [ 9.2.0.0 NEW FEATURES ] - Sysinfo Diagnostics Auto Feature An 'auto' option has been added to the CLI "admin sysinfo" option to support saving sysinfo files in a CLI batch script. For example, a script that saves a sysinfo file every 60 seconds: [slc]> show script type batch name auto_sysinfo ___Batch Script 'auto_sysinfo'_______________________________________________ Group/Perms: Adm/ad,nt,sv,dt,lu,ra,um,dp,ub,rs,fc,dr,sn,wb,sk,do,sd,md,rp,di set cnt 5 while { $cnt >= 1 } { admin sysinfo save SLCsysinfo location usb auto enable sleep 60 set cnt [expr $cnt - 1] } - SSH Two Factor Authentication SSH 2FA has been added; when enabled, this requires users to configure a public key in addition to entering a password when authenticating to the SLC. - Speed Test Diagnostics A network performance test (via speedtest.net) has been added to the CLI to test performance of various network configurations, including performance of a cellular connection. See "diag speedtest" for more information. - SSH Server Host Keys The SSH server host keys can be removed with a CLI command; on reboot, the SLC will automatically regenerate the SSH server host keys. - SNMP Resource Utilization Traps Traps for resource (disk and memory) have been added; the traps are sent when the resource goes over 90% utilization. - TACACS+ Port The TCP port used for communication to a TACACS+ server can now be configured. - USB Device Port support for Prolific PL2303GS Support for Prolific PL2303GS USB Serial converters has been added for USB Device Ports. - Configuration Text File Character Escape An "escapechar" option has been added to the CLI commands "admin config commands" and "admin config batch" to escape any backslash '\' characters in the output. If escapechar is enabled with "admin config commands", any '\' character in the output will be prepended with an additional '\' character. If escapechar is enabled with "admin config batch", it will handle de-escaping (removing the prepended '\') in the input, before running the CLI command. - Ethernet Virtual Interfaces Support for two virtual interfaces has been added; these interfaces act similar to a real physical interface, with an assigned IP address and netmask. For more information see the online help for Virtual Interfaces. In addition, a virtual interface can be selected as the interface to use for outgoing SSH sessions (CLI command "connect direct ssh"), as well as NTP, SNMP, DNS and TACACS+ packets. - Power Supply Failure On dual power supply models, when a power supply fails, the failure is now logged every 120 minutes until the failure is corrected. Previously the failure was only logged when the issue was detected. - Changes to CLI syntax: o added auto option to "admin sysinfo" o added port and srcipaddr options to "set tacacs+" o added escapechar option to "admin config commands" and "admin config batch" o added "diag speedtest" o added "set sshkey server remove" o added "set virtual" and "show virtual" o added iface option to "connect direct ssh" o added local as a location for "admin sysinfo" o added srcipaddr option to "set ntp" o added trapsrciface option to "set snmp" o added dnssrcipaddr to "set network" [ 9.2.0.0 BUG FIXES ] - IPv6 with Ethernet Bonding Previously if Ethernet bonding was enabled, IPv6 was not supported with the bonding interface. This has been fixed in this release. [ 9.1.0.0 NEW FEATURES ] - SSH Algorithm Features Two options to control which algorithms are supported by the SSH server have been added: RSA Host Key Algorithms (enables or disables support for RSA server host key algorithms; enabled by default) and NIST Algorithms (enables or disables NIST Key Exchange algorithms and server host key algorithms; enabled by default). - SSH Upgrade The SSH server and client have been upgraded to a more secure version. DSA SSH keys are no longer supported. NOTE: due to the removal of less secure algorithms, users with older SSH clients may not be able to connect to the SLC via SSH after this firmware version is installed. If a SSH client cannot connect to the SLC, most SSH clients can be run in verbose or debug mode which will display what algorithms the client is offering to the SLC SSH server and the reasons for connection failure. SSH connections out of the SLC to older SSH servers may also fail to connect. - IP Filter Rule Limit The maximum number of rules allowed in an IP filter ruleset has been changed; 256 rules are now supported. - Syslog Version Format The system log format has been upgraded from RFC3164 to RFC5424. This upgrade applies to the format of the system log files stored internally as well as the format of the system log messages sent to a remote syslog server. For example, the RFC3164 syslog format: Mar 8 11:55:44 2023 slcfc31 SLC-SLB/xasd: sw/info-Running logrotate The RFC5424 format: 2023-03-08T11:55:44.027127+00:00 slcfc31 SLC-SLB/xasd: sw/info - Running logrotate After installing this release, booting to a bank running an older firmware version will result in logs with both RFC3164 and RFC5424 format logs in the system log, and the older firmware version will not be capable of date sorting both formats. - Discovery Server for Secure Lantronix Network The capability to disable the discovery server that listens for requests to search the network for Lantronix devices has been added. - Changes to CLI syntax: o added nist, rsahostkeys and discoveryserver options to "set services" o removed dsakeys option from "set services" o removed dsa from "set sshkey" and "show sshkey" o added "clear updatelog" to "set cflow" o added allusers option to "set cli" [ 9.1.0.0 BUG FIXES ] - SNMP link up/down trap using incorrect interface index The SLC was sending an incorrect ifIndex when issuing an SNMP linkUp or linkDown trap; this has been fixed. - Logging and diagnostics for directory full Additional logging and diagnostics has been added for tracking when a partition is full. [ 9.0.0.1 BUG FIXES ] - ConsoleFlow Proxy Connections When configured with a proxy server, the ConsoleFlow client was not using the proxy server for remote connections. This has been fixed in this release. [ 9.0.0.0 NEW FEATURES ] - StarTech USB External Modem Support for an external USB 2.0 modem (StarTech USB 2.0 USB56KEMH2) has been added. - ConsoleFlow Audit Log Audit log messages are now pushed to the ConsoleFlow server by the ConsoleFlow client. This feature is enabled by default, and can be enabled or disabled with the Audit Log Messages setting for the ConsoleFlow client. - SNMP v3 Encryption Support for AES192 and AES256 has been added to the SNMP v3 encryption options. - Changes to CLI syntax: o added auditlogmessages option to "set cflow" o added aes192 and aes256 options to "set snmp v3encrypt" options [ 9.0.0.0 BUG FIXES ] - Command to reset a Device Port The command to reset a device port via the CLI did not fully reset the serial side of connections to the device port. This has been fixed in this release. [ 8.9.0.1 BUG FIXES ] - ConsoleFlow Registration The ConsoleFlow client now uses the MQTT host returned by the ConsoleFlow server ; this is no longer user configurable. [ 8.9.0.0 NEW FEATURES ] - Configuration Text File Support for a text file version of the SLC configuration has been added. This text file is a series of CLI commands that can be exported from the device, optionally modified, and restored to the SLC. - CLI SNMP trapenable The CLI 'set snmp trapenable' can be used with prompts (querying the user which traps should be enabled) or without prompts (by specifying a list of OIDs). See the CLI help for 'set snmp' for more information. - ConsoleFlow CLI command The 'set snmp' CLI command is now available for issuing CLI commands via ConsoleFlow. - ConsoleFlow Proxy The ConsoleFlow client now supports use of a proxy server to act as a gateway between the ConsoleFlow client and the ConsoleFlow server. HTTP and SOCKS5 proxy servers are supported. - Changes to CLI syntax: o added proxy options to "set cflow" o added ConsoleFlow connection test command "show cflow connecttest" o added IP Filter "set ipfilter delete all" [ 8.9.0.0 BUG FIXES ] - The ConsoleFlow client can periodically lose connection to the ConsoleFlow server even when there are no network / routing issues due to libwebsockets ping-pong keepalive issues. This issue has been resolved by disabling libwebsockets ping-pong keepalives in favor of MQTT ping-pong keepalives. - The ConsoleFlow client can periodically get into a state where it is unable to publish results from jobs such as bulk CLI commands. This issue has been resolved by improving the telemetry handshake process. [ 8.8.0.0 NEW FEATURES ] - Support for G520 Series Cellular Gateway The Lantronix G520 Series Cellular Gateway is now supported as an integrated fail-over gateway. - Managed Ethernet Switch Support for an integrated 16 port Ethernet Switch has been added. This switch can be used as a management LAN to provide secure access to network devices that are attached to it. See online help for more details. - Changes to CLI syntax: o added g52x option to "set network gateway faildevice" o added consoleflow option to "admin lcd screens" o added allowremoteconnection option to "set cflow" o added "admin eeprom" command [ 8.8.0.0 BUG FIXES ] - Web Server Cookie Security Security issues related to web server session cookies have been fixed. [ 8.7.0.0 NEW FEATURES ] - Modem White List A list of allowed phone numbers can be used to control dial-in access to an internal modem or USB modem. The access list can be configured to either ignore or hang up phone numbers which are not on the access list. - USB Serial Support on front USB ports The front USB ports now support connecting serial devices. The user can login to the CLI and perform a "connect direct U1" or "connect direct U2" to interact with the device. - RPM support for APC 7900B and 8865 PDUs Management for APC 7900B and 8865 PDUs via SNMP has been added. Total current for the PDU can be displayed; however the PDU does not support displaying current for each outlet. - Changes to CLI syntax: o added starttime, endtime, display and numlines options to "show auditlog" o added "diag traceroute6" o removed mqttsecurity option from "set cflow" o added "show usb serial" and "set usb serial" o added "set accesslist" and "show accesslist" [ 8.7.0.0 BUG FIXES ] - ConsoleFlow Connection Issues Fixes for ConsoleFlow connection issues, including the “SSL: couldn't create a context” error. This caused telemetry to not be updated and some operations (for example, CLI Commands) to not run. - Ethernet Bonding When enabled, Ethernet Bonding was displaying the incorrect status, and dropping packets. This has been resolved.