Cybersecurity researchers are warning of the risks posed by low-cost IP KVM (Keyboard, Video, Mouse Over Internet Protocol) devices. These devices can potentially give an attacker extensive control over a compromised host.
The nine vulnerabilities discovered by Eclypsium span four different products: GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe allow an unauthenticated attacker to gain root access or execute malicious code.
“The common themes are egregious: lack of firmware signature verification, lack of brute force protection, broken access controls, and exposed debugging interfaces,” researchers Paul Asadourian and Reynaldo Vázquez García said in their analysis.
The use of IP KVM devices that enable remote access to a target machine’s keyboard, video output, and mouse input at the BIOS/UEFI level can expose systems to potential takeover risks and compromise security controls in place if exploited through vulnerabilities in these products. Here is the list of disadvantages:
CVE-2026-32290 (CVSS Score: 4.2) – GL-iNet Comet KVM Insufficient Firmware Trust Validation (To be fixed) CVE-2026-32291 (CVSS Score: 7.6) – GL-iNet Comet KVM Universal Asynchronous Transmitter/Receiver (UART) Root Access Vulnerability (To be fixed) CVE-2026-32292 (CVSS Score: 5.3) – GL-iNet Comet KVM Insufficient Brute Force Protection Vulnerability (fixed in version 1.8.1 BETA) CVE-2026-32293 (CVSS Score: 3.1) – GL-iNet Comet KVM Insecure Initial Provisioning Vulnerability via Unauthenticated Cloud Connection (version CVE-2026-32294 (CVSS score: 6.7) – JetKVM insufficient update validation vulnerability (fixed in version 0.5.4) CVE-2026-32295 (CVSS score: 7.3) – JetKVM insufficient rate limiting vulnerability (fixed in version 0.5.4) CVE-2026-32296 (CVSS Score: 5.4) – Sipeed NanoKVM Configuration Endpoint Exposure Vulnerability (fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4) CVE-2026-32297 (CVSS Score: 9.8) – Angeet ES3 KVM CVE-2026-32298 (CVSS Score: 8.8) – Operating system command injection vulnerability in Angeet ES3 KVM allows arbitrary command execution (no fix available)
“These are not rare zero-days that require months of reverse engineering,” the researchers noted. “These are the basic security controls that any networked device should implement: input validation, authentication, cryptographic validation, rate limiting. We’re looking at the same class of failures that plagued early IoT devices a decade ago, but now for a class of devices that equates to physical access to everything they connect to.”
Attackers can weaponize these issues to inject keystrokes, bypass disk encryption and secure boot protection by booting from removable media, bypass the lock screen to gain access to the system, and more importantly, avoid detection by security software installed at the operating system level.
This is not the first time that vulnerabilities in IP KVM devices have been revealed. In July 2025, Russian cybersecurity vendor Positive Technologies reported five flaws (CVE-2025-3710, CVE-2025-3711, CVE-2025-3712, CVE-2025-3713, and CVE-2025-3714) that could pave the way for denial of service or remote code execution in ATEN International switches.
Additionally, IP KVM switches such as PiKVM and TinyPilot are used by North Korean IT workers in countries such as China to remotely connect to company-issued laptops hosted on laptop farms.
As a mitigation, we recommend enforcing multi-factor authentication (MFA) where supported, isolating KVM devices on a dedicated management VLAN, restricting internet access, using tools like Shodan to check for external exposure, monitoring for unexpected network traffic to and from the device, and keeping firmware up to date.
“A compromised KVM is different from a compromised IoT device that resides on your network; it is a direct, silent channel to all controlled machines,” Eclypsium said. “An attacker who compromises KVM can hide tools and backdoors on the device itself and continue to reinfect host systems even after remediation.”
“Most of these devices lack signature verification on some firmware updates, allowing supply chain attackers to modify the firmware during distribution and potentially persist forever.”
Source link
