Cybersecurity researchers have issued a stern warning regarding the significant security risks associated with low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices. These devices, intended to facilitate remote management, have been found to harbor numerous vulnerabilities that, if exploited, could grant attackers extensive control over compromised hosts, effectively bypassing traditional network security measures.
The findings, detailed by Eclypsium, highlight nine critical security flaws across four distinct IP KVM product lines: GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most alarming of these vulnerabilities permit unauthenticated attackers to achieve root-level access or execute malicious code on connected systems. Researchers Paul Asadoorian and Reynaldo Vasquez Garcia emphasized that these are not obscure, complex exploits but rather fundamental security oversights, including missing firmware signature validation, inadequate brute-force protection, flawed access controls, and exposed debug interfaces.
IP KVM Vulnerabilities Pose Significant Network Security Threats
IP KVM devices provide remote control over a target machine’s keyboard, video output, and mouse input, often at the BIOS/UEFI level. This deep system access means that successful exploitation of these newly discovered vulnerabilities can lead to a complete takeover of systems, rendering existing security protocols ineffective. The implications are particularly grave as these devices can act as a silent, persistent backdoor into an organization’s infrastructure.
The discovered vulnerabilities and their associated Common Vulnerability Scoring System (CVSS) scores include:
- CVE-2026-32290 (CVSS 4.2): Insufficient verification of firmware authenticity in GL-iNet Comet KVM. A fix is reportedly in planning.
- CVE-2026-32291 (CVSS 7.6): A Universal Asynchronous Receiver-Transmitter (UART) root access vulnerability in GL-iNet Comet KVM. A fix is reportedly in planning.
- CVE-2026-32292 (CVSS 5.3): Insufficient brute-force protection in GL-iNet Comet KVM. This vulnerability has been fixed in version 1.8.1 BETA.
- CVE-2026-32293 (CVSS 3.1): Insecure initial provisioning via unauthenticated cloud connection in GL-iNet Comet KVM. This vulnerability has been fixed in version 1.8.1 BETA.
- CVE-2026-32294 (CVSS 6.7): Insufficient update verification in JetKVM. This vulnerability has been fixed in version 0.5.4.
- CVE-2026-32295 (CVSS 7.3): Insufficient rate limiting in JetKVM. This vulnerability has been fixed in version 0.5.4.
- CVE-2026-32296 (CVSS 5.4): Configuration endpoint exposure in Sipeed NanoKVM. This vulnerability has been fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4.
- CVE-2026-32297 (CVSS 9.8): Missing authentication for a critical function in Angeet ES3 KVM, leading to arbitrary code execution. No fix is currently available.
- CVE-2026-32298 (CVSS 8.8): Operating system command injection vulnerability in Angeet ES3 KVM, leading to arbitrary command execution. No fix is currently available.
The researchers from Eclypsium pointed out that these vulnerabilities mirror the security failings seen in early Internet of Things (IoT) devices a decade ago. However, the context here is far more critical, as an exploited IP KVM device offers “the equivalent of physical access to everything it connects to.”
An adversary exploiting these weaknesses could inject keystrokes directly into a system, boot from external media to circumvent disk encryption or Secure Boot protections, bypass login screens, and gain undetected access. Crucially, security software installed at the operating system level would be unable to detect these low-level intrusions.
This is not the first instance of security issues being raised for IP KVM devices. In July 2025, Positive Technologies identified five vulnerabilities in ATEN International switches that could result in denial-of-service or remote code execution. Furthermore, IP KVM solutions like PiKVM and TinyPilot have reportedly been utilized by North Korean IT workers located abroad to remotely access company-issued laptops.
Mitigation Strategies and Future Outlook
To mitigate these risks, Eclypsium recommends several key security practices. Where supported, organizations should enforce multi-factor authentication (MFA) for IP KVM access. It is also advised to isolate KVM devices on a dedicated management VLAN and strictly restrict their internet access. Utilizing tools like Shodan can help identify devices exposed to the public internet. Continuous monitoring for unusual network traffic connected to these devices and diligently keeping firmware up-to-date are essential steps in hardening their security posture.
The security firm stressed that a compromised KVM device represents a direct and stealthy entry point into an entire network. “An attacker who compromises the KVM can hide tools and backdoors on the device itself, consistently re-infecting host systems even after remediation,” Eclypsium stated.
The potential for supply-chain attacks is also a significant concern. Because several of these devices lack firmware signature validation, malicious actors could tamper with firmware during the distribution process, ensuring persistent compromise. While fixes are being developed for some vulnerabilities, the lack of available patches for the most severe flaws in the Angeet ES3 KVM remains a critical concern. Organizations relying on these devices should proactively assess their exposure and implement robust compensating controls while awaiting vendor updates.