These flaws uncovered by Eclypsium allow attackers to gain complete, BIOS-level control over connected systems, effectively bypassing all operating system security controls and Endpoint Detection and Response (EDR) agents.
Compromising a Keyboard, Video, and Mouse (KVM) device gives an attacker the equivalent of physical access to every connected machine.
This enables malicious actors to inject keystrokes, boot from removable media to bypass disk encryption, and alter BIOS setups to disable Secure Boot.
Because the KVM operates below the host operating system, attackers remain completely invisible to host-based security tools, creating a highly persistent threat vector.
This threat is actively being exploited in the wild. The FBI has recently investigated threats related to KVMs, and Microsoft has documented North Korean state-sponsored threat actors utilizing IP-KVMs to establish remote physical control over corporate laptops.
Furthermore, recent scans have identified over 1,600 of these low-cost devices directly exposed to the internet, creating an expansive attack surface for threat actors.
The discovered vulnerabilities impact devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, which typically cost between $30 and $100.
The flaws stem from fundamental security hygiene failures, including missing firmware signature validation, exposed debug interfaces, and broken access controls.
| Vendor | Product | CVE | Vulnerability | CVSS 3.1 |
|---|---|---|---|---|
| GL-iNet | Comet RM-1 | CVE-2026-32290 | Insufficient firmware verification | 4.2 |
| GL-iNet | Comet RM-1 | CVE-2026-32291 | UART root access | 7.6 |
| GL-iNet | Comet RM-1 | CVE-2026-32292 | Insufficient brute-force protection | 5.3 |
| GL-iNet | Comet RM-1 | CVE-2026-32293 | Insecure cloud provisioning | 3.1 |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32297 | Unauthenticated file upload | 9.8 |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32298 | OS command injection | 8.8 |
| Sipeed | NanoKVM | CVE-2026-32296 | Configuration endpoint exposure | 5.4 |
| JetKVM | JetKVM | CVE-2026-32294 | Insufficient update verification | 6.7 |
| JetKVM | JetKVM | CVE-2026-32295 | Insufficient rate limiting | 7.3 |
The most severe finding affects the Angeet ES3 KVM, which contains an unauthenticated file upload vulnerability that, when chained with a command injection flaw, enables pre-authentication remote code execution with root privileges.
Similarly concerning is the GL-iNet Comet RM-1, which provides unauthenticated root-level access via its UART interface and relies solely on an easily spoofed MD5 hash for firmware verification.
To protect enterprise networks from these severe out-of-band management threats, security teams must treat IP-KVM devices as critical infrastructure.
According to Eclypsium research, administrators should immediately isolate all KVM devices on dedicated management VLANs and ensure they are never exposed directly to the internet.
Access should be strictly gated behind strong authentication and Virtual Private Networks (VPNs).
Additionally, organizations must inventory their environments for undocumented KVMs, monitor outbound network traffic for anomalies, and apply the latest firmware patches when they are available from vendors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post $30 IP-KVM Flaws Could Give Attackers BIOS-Level Control Across Enterprise Networks appeared first on Cyber Security News.
President Donald Trump gives a speech at the World Economic Forum on Jan. 21, 2026…
Car dashcams have their uses. They can come in handy for recording accidents when nobody…
Tickets for PAX Aus 2026 are available today, with ‘Early Bird’ prices on offer for…
After making his gaming debut in Clair Obscur: Expedition 33, Charlie Cox is once again…
Switch 2 owners, check out this super low price on a first party Switch 2…
This website uses cookies.