In March 2026 nine vulnerabilities were disclosed in low-cost IP KVM devices that can allow unauthenticated actors to gain root access or execute arbitrary code. A technical analysis by Eclypsium said the flaws affect four products and include a vulnerability rated CVSS 9.8.
KEY FACTS
- Scope Nine vulnerabilities across four IP KVM products
- Most severe CVE-2026-32297 rated CVSS 9.8 enabling arbitrary code execution
- Affected devices GL-iNet Comet RM-1, Angeet ES3, Sipeed NanoKVM, JetKVM
- Fix status Some fixes available, some planned, two Angeet issues unfixed
The vulnerabilities include missing firmware signature verification, exposed UART access, weak or no brute force protections, insecure initial provisioning, insufficient update verification, exposed configuration endpoints, and an operating system command injection.
The nine issues map to distinct CVE identifiers. Several vendors have released or planned updates for specific flaws. JetKVM and Sipeed published fixes for some issues and GL-iNet has planned fixes and a beta update that addresses multiple items.
Successful exploitation can let an attacker inject keystrokes, boot from removable media to bypass disk encryption or Secure Boot, circumvent lock screens, and run code outside the host operating system. A compromised KVM can persistently re-infect hosts if firmware lacks signature verification.
Mitigations advised include enforcing multi factor authentication where supported, isolating KVM devices on a management VLAN, restricting internet exposure, monitoring network traffic to and from the devices, using internet search tools to detect external exposure, and keeping firmware updated.
WHY IT MATTERS
IP KVM devices operate at the BIOS and firmware level and can provide a direct undetected channel to controlled machines. Vulnerabilities in these devices can undermine endpoint security and enable persistent access beyond standard operating system controls.