$30 IP-KVM Vulnerabilities Expose Enterprises to BIOS-Level Attacks

A new wave of security research has uncovered critical flaws in low-cost IP-KVM (Keyboard, Video, Mouse) devices, raising serious concerns for enterprise environments.

These devices, often priced between $30 and $100, are increasingly used for remote system management but are now being weaponized by attackers to gain deep, hardware-level access.

BIOS-Level Control Risk

Unlike traditional software attacks, IP-KVM compromises operate below the operating system. This gives attackers direct control over a system’s keyboard, display, and mouse functions at the BIOS level.

As a result, they can bypass endpoint security tools, antivirus software, and host-based firewalls entirely.

A single compromised KVM device can provide full control over every connected machine. Attackers can execute commands, modify boot processes, deploy ransomware, or even mount attacks using virtual media without detection.

According to Eclypsium, internet-exposed IP-KVM devices have surged dramatically from 404 in June 2025 to over 1,600 by January 2026. This sharp increase highlights widespread adoption without adequate security controls.

The vulnerabilities stem from fundamental security failures in device design and implementation. Common issues include:

• Lack of secure firmware validation mechanisms
• Exposed debug and serial interfaces
• Weak or absent brute-force protection
• Insecure cloud provisioning processes

Because these devices run embedded Linux systems, attackers can also install persistent backdoors directly on the hardware.

The research identified nine vulnerabilities across four vendors: GL-iNet, Angeet, Sipeed, and JetKVM.

Vendor	Product	CVE	Vulnerability	CVSS	Status
GL-iNet	Comet RM-1	CVE-2026-32290	Insufficient firmware verification	4.2	No fix planned
GL-iNet	Comet RM-1	CVE-2026-32291	UART root access	7.6	No fix planned
GL-iNet	Comet RM-1	CVE-2026-32292	Insufficient brute-force protection	5.3	Fixed in v1.8.1 BETA
GL-iNet	Comet RM-1	CVE-2026-32293	Insecure initial cloud provisioning	3.1	Fixed in v1.8.1 BETA
Angeet	ES3 KVM	CVE-2026-32297	Unauthenticated file upload	9.8	No fix available
Angeet	ES3 KVM	CVE-2026-32298	OS command injection	8.8	No fix available
Sipeed	NanoKVM	CVE-2026-32296	Configuration endpoint exposure	5.4	Fixed in v2.3.1
JetKVM	JetKVM	CVE-2026-32294	Insufficient update verification	6.7	Fixed in v0.5.4
JetKVM	JetKVM	CVE-2026-32295	Insufficient rate limiting	7.3	Fixed in v0.5.4

The most severe issue affects the Angeet ES3 KVM, where attackers can upload arbitrary files without authentication.

Real-World Attack Scenarios

Once exploited, attackers can:

• Inject keystrokes to install malware or ransomware
• Boot systems from malicious remote media, bypassing disk encryption
• Alter BIOS settings to maintain persistence
• Monitor or intercept sensitive operations in real time

Because all actions occur below the OS, traditional detection tools remain ineffective.

Security teams should treat IP-KVM devices as high-risk infrastructure. Recommended actions include:

• Isolate KVMs on dedicated management networks
• Never expose them directly to the internet
• Apply firmware updates immediately where available
• Disable unnecessary interfaces such as UART and wireless configuration
• Enforce strong authentication and network segmentation

These findings highlight a growing blind spot in enterprise security. As organizations adopt cheaper hardware solutions, attackers are increasingly targeting these overlooked components to gain complete control over critical systems.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post $30 IP-KVM Vulnerabilities Expose Enterprises to BIOS-Level Attacks appeared first on Cyber Security News.