Full Report
Cybersecurity researchers have warned about the risks posed by low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, which can grant attackers extensive control over compromised hosts. The nine vulnerabilities, discovered by Eclypsium, span four different products from GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe of them allow
Analysis Summary
# Vulnerability: Multiple Critical Flaws in Low-Cost IP KVM Devices
## CVE Details
- **CVE-2026-32297**: 9.8 (Critical) - Missing Authentication for Critical Function
- **CVE-2026-32298**: 8.8 (High) - OS Command Injection
- **CVE-2026-32291**: 7.6 (High) - UART Root Access
- **CVE-2026-32295**: 7.3 (High) - Insufficient Rate Limiting
- **CVE-2026-32294**: 6.7 (Medium) - Insufficient Update Verification
- **CVE-2026-32296**: 5.4 (Medium) - Configuration Endpoint Exposure
- **CVE-2026-32292**: 5.3 (Medium) - Insufficient Brute-force Protection
- **CVE-2026-32290**: 4.2 (Medium) - Insufficient Firmware Authenticity Verification
- **CVE-2026-32293**: 3.1 (Low) - Insecure Initial Provisioning
## Affected Systems
- **GL-iNet:** Comet RM-1 (Versions prior to 1.8.1 BETA)
- **Angeet / Yeeso:** ES3 KVM (All versions; no fix available)
- **Sipeed:** NanoKVM (Prior to v2.3.1) and NanoKVM Pro (Prior to v1.2.4)
- **JetKVM:** All hardware (Versions prior to 0.5.4)
## Vulnerability Description
Researchers at Eclypsium identified a suite of "IoT-class" security failures in IP KVM devices. These devices provide BIOS/UEFI level remote access, meaning flaws here grant the equivalent of physical access to the host machine.
- **Broken Access Control:** Unauthenticated access to configuration endpoints and critical functions (Angeet and Sipeed).
- **Insecure Updates:** Lack of firmware signature validation or update verification, allowing for malicious firmware persistence (GL-iNet and JetKVM).
- **Weak Hardening:** Exposure of root shells via hardware debug interfaces (UART) and lack of rate limiting to prevent credential brute-forcing.
## Exploitation
- **Status:** PoC available (demonstrated by Eclypsium researchers).
- **Complexity:** Low.
- **Attack Vector:** Network (most), Physical/Adjacent (UART-related).
## Impact
- **Confidentiality:** High (Full access to video output/screen content).
- **Integrity:** High (Ability to inject keystrokes, modify BIOS settings, and bypass Secure Boot).
- **Availability:** High (Ability to reboot, power cycle, or brick the host/KVM).
## Remediation
### Patches
- **GL-iNet Comet:** Update to version **1.8.1 BETA** or newer.
- **JetKVM:** Update to version **0.5.4** or newer.
- **Sipeed NanoKVM:** Update NanoKVM to **2.3.1**; NanoKVM Pro to **1.2.4**.
- **Angeet/Yeeso ES3:** **No patches available** at this time. Use of these devices is discouraged in secure environments.
### Workarounds
- **VLAN Isolation:** Place all IP KVM management interfaces on a dedicated, isolated Management VLAN.
- **Restrict Access:** strictly limit access to KVM IP addresses via Access Control Lists (ACLs) or firewalls.
- **Physical Security:** Disable or epoxy UART/debug headers on the physical PCB to prevent local root access.
## Detection
- **Exposure Scanning:** Use tools like Shodan or Censys to ensure KVM interfaces are not exposed to the public internet.
- **Log Monitoring:** Monitor for repeated failed login attempts (brute-force) and unusual configuration changes.
- **Network Behavior:** Audit for unexpected outbound cloud connections from KVM devices during provisioning.
## References
- Eclypsium Research: hXXps://eclypsium[.]com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/
- CVE Records: hXXps://www[.]cve[.]org/CVERecord?id=CVE-2026-32297
- Original Report: hXXps://thehackernews[.]com/2026/03/9-critical-ip-kvm-flaws-enable.html