Low-cost IP KVM devices—designed to provide remote keyboard, video, and mouse access to physical systems—are introducing catastrophic security risks into enterprise environments. New research from Eclypsium reveals nine vulnerabilities affecting products from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, with the most severe enabling unauthenticated attackers to achieve root access.
Why IP KVM Vulnerabilities Are Uniquely Dangerous
Unlike typical IoT device compromises, a breached IP KVM grants attackers capabilities equivalent to physical access at the keyboard. These devices operate at the BIOS/UEFI level, enabling threat actors to:
- Inject keystrokes directly into target systems
- Boot from removable media to bypass disk encryption
- Circumvent Secure Boot protections
- Access locked systems before authentication
- Remain invisible to OS-level security software
“A compromised KVM is not like a compromised IoT device sitting on your network. It is a direct, silent channel to every machine it controls,” researchers Paul Asadoorian and Reynaldo Vasquez Garcia warned.
The Nine Vulnerabilities: A Breakdown
The flaws span fundamental security failures that have plagued IoT devices for over a decade:
GL-iNet Comet RM-1 (4 vulnerabilities):
- CVE-2026-32290 (CVSS 4.2) — Insufficient firmware authenticity verification
- CVE-2026-32291 (CVSS 7.6) — UART root access vulnerability
- CVE-2026-32292 (CVSS 5.3) — No brute-force protection (Fixed in 1.8.1 BETA)
- CVE-2026-32293 (CVSS 3.1) — Insecure initial provisioning via unauthenticated cloud connection
JetKVM (2 vulnerabilities):
- CVE-2026-32294 (CVSS 6.7) — Insufficient update verification (Fixed in 0.5.4)
- CVE-2026-32295 (CVSS 7.3) — Insufficient rate limiting (Fixed in 0.5.4)
Sipeed NanoKVM (1 vulnerability):
- CVE-2026-32296 (CVSS 5.4) — Configuration endpoint exposure (Fixed in NanoKVM 2.3.1 / Pro 1.2.4)
Angeet ES3 KVM (2 critical vulnerabilities — NO FIX AVAILABLE):
- CVE-2026-32297 (CVSS 9.8) — Missing authentication for critical function → arbitrary code execution
- CVE-2026-32298 (CVSS 8.8) — OS command injection → arbitrary command execution
Pattern of Fundamental Security Failures
Eclypsium’s analysis reveals recurring themes across all affected products:
- Missing firmware signature validation — allowing supply-chain attacks
- No brute-force protection — enabling credential attacks
- Broken access controls — permitting unauthorized configuration changes
- Exposed debug interfaces — providing direct root access
“These are not exotic zero-days requiring months of reverse engineering,” the researchers noted. “These are fundamental security controls that any networked device should implement.”
Real-World Attack Implications
The research highlights how IP KVM devices are already being weaponized. North Korean IT workers operating from China have reportedly used similar devices—including PiKVM and TinyPilot—to remotely control company laptops hosted on “laptop farms,” maintaining persistent access to corporate networks.
An attacker who compromises an IP KVM can:
- Hide tools and backdoors on the device itself
- Consistently re-infect host systems even after remediation
- Persist indefinitely through tampered firmware updates lacking signature verification
Defensive Recommendations
Organizations using IP KVM devices should immediately:
- Enforce MFA where supported
- Isolate KVM devices on a dedicated management VLAN
- Restrict internet access for these devices
- Check Shodan for external exposure
- Monitor network traffic for unexpected communications
- Update firmware immediately where patches are available
- Consider replacement of unpatched Angeet ES3 devices
The Bottom Line
The $30 price point of these devices has driven widespread adoption, but security has been an afterthought. Organizations must recognize that IP KVM devices represent a high-value target for attackers—providing silent, persistent access to every machine they control. Until vendors implement fundamental security controls, these “convenient” remote access tools remain serious liabilities.
Source: The Hacker News / Eclypsium
