$30 IP-KVM Flaws Could Give Attackers BIOS-Level Control Across
During a recent security assessment, researchers uncovered nine severe vulnerabilities impacting four popular low-cost IP-KVM devices. These flaws allow attackers to gain complete, BIOS-level control...
During a recent security assessment, researchers uncovered nine severe vulnerabilities impacting four popular low-cost IP-KVM devices.
These flaws allow attackers to gain complete, BIOS-level control over connected systems, effectively bypassing all operating system security controls and Endpoint Detection and Response (EDR) agents.
Compromising a Keyboard, Video, and Mouse (KVM) device gives an attacker the equivalent of physical access to every connected machine.
This enables malicious actors to inject keystrokes, boot from removable media to bypass disk encryption, and alter BIOS setups to disable Secure Boot.
Because the KVM operates below the host operating system, attackers remain completely invisible to host-based security tools, creating a highly persistent threat vector.
This threat is actively being exploited in the wild. The FBI has recently investigated threats related to KVMs, and Microsoft has documented North Korean state-sponsored threat actors utilizing IP-KVMs to establish remote physical control over corporate laptops.
Furthermore, recent scans have identified over 1,600 of these low-cost devices directly exposed to the internet, creating an expansive attack surface for threat actors.
The discovered vulnerabilities impact devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, which typically cost between $30 and $100.
The flaws stem from fundamental security hygiene failures, including missing firmware signature validation, exposed debug interfaces, and broken access controls.
| Vendor | Product | CVE | Vulnerability | CVSS 3.1 |
|---|---|---|---|---|
| GL-iNet | Comet RM-1 | CVE-2026-32290 | Insufficient firmware verification | 4.2 |
| GL-iNet | Comet RM-1 | CVE-2026-32291 | UART root access | 7.6 |
| GL-iNet | Comet RM-1 | CVE-2026-32292 | Insufficient brute-force protection | 5.3 |
| GL-iNet | Comet RM-1 | CVE-2026-32293 | Insecure cloud provisioning | 3.1 |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32297 | Unauthenticated file upload | 9.8 |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32298 | OS command injection | 8.8 |
| Sipeed | NanoKVM | CVE-2026-32296 | Configuration endpoint exposure | 5.4 |
| JetKVM | JetKVM | CVE-2026-32294 | Insufficient update verification | 6.7 |
| JetKVM | JetKVM | CVE-2026-32295 | Insufficient rate limiting | 7.3 |
The most severe finding affects the Angeet ES3 KVM, which contains an unauthenticated file upload vulnerability that, when chained with a command injection flaw, enables pre-authentication remote code execution with root privileges.
Similarly concerning is the GL-iNet Comet RM-1, which provides unauthenticated root-level access via its UART interface and relies solely on an easily spoofed MD5 hash for firmware verification.
Mitigation Strategies
To protect enterprise networks from these severe out-of-band management threats, security teams must treat IP-KVM devices as critical infrastructure.
According to Eclypsium research1, administrators should immediately isolate all KVM devices on dedicated management VLANs and ensure they are never exposed directly to the internet.
Access should be strictly gated behind strong authentication and Virtual Private Networks (VPNs).
Additionally, organizations must inventory their environments for undocumented KVMs, monitor outbound network traffic for anomalies, and apply the latest firmware patches when they are available from vendors.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.