Recent discoveries in the cybersecurity realm have highlighted serious vulnerabilities in low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, capable of granting unauthorized root access to attackers. These vulnerabilities, identified by researchers at Eclypsium, affect products from four vendors: GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM.
Vulnerability Details and Impact
The most critical of these nine vulnerabilities could allow attackers to execute malicious code or gain root access without authentication. The issues identified include missing firmware signature validation, lack of brute-force protection, weak access controls, and exposed debug interfaces. Such flaws pose a significant threat as they enable remote control of a system’s keyboard, video, and mouse inputs at the BIOS/UEFI level.
The vulnerabilities, classified with varying CVSS scores, range from insufficient firmware authenticity checks (CVE-2026-32290) to command injection vulnerabilities (CVE-2026-32298) that allow arbitrary command execution. Some of these issues have been addressed in recent updates, while others remain unresolved, posing ongoing risks to system security.
Historical Context and Comparison
This is not an isolated incident, as similar vulnerabilities have been observed in the past with other IP KVM devices. For instance, Russian cybersecurity firm Positive Technologies reported similar flaws in ATEN International switches in mid-2025, which could facilitate remote code execution or denial-of-service attacks.
Additionally, IP KVM devices like PiKVM and TinyPilot have been used by North Korean IT workers to remotely operate company laptops, highlighting the potential for misuse in various geopolitical contexts.
Mitigation Strategies and Security Recommendations
To mitigate these risks, experts recommend implementing multi-factor authentication (MFA) where possible, isolating KVM devices on dedicated management VLANs, restricting Internet access, and using tools such as Shodan to detect external exposure. Regular monitoring for unusual network activity and ensuring firmware is up-to-date are also advised.
Eclypsium emphasizes that compromised KVM devices offer a silent, direct path to affected systems, allowing attackers to hide malware and backdoors, which can persist even after remediation. The lack of signature verification in firmware updates further exacerbates the risk, as supply-chain attacks could alter firmware during distribution.
While the vulnerabilities present significant challenges, awareness and proactive measures can help mitigate potential threats, safeguarding systems against unauthorized access and control.
