Blog

IP-KVM Devices Expose Organizations to Full Remote Compromise

KVM

Critical IP-KVM Vulnerabilities Enable Full Remote System Takeover

Executive Summary

A newly disclosed set of nine critical vulnerabilities impacting IP-KVM (Keyboard, Video, Mouse over IP) devices introduces a significant and often overlooked risk to enterprise environments.

These vulnerabilities allow unauthenticated attackers to gain root-level access and execute arbitrary code, effectively granting full control over both the KVM device and any connected systems.

This is not a traditional edge vulnerability.
This is out-of-band compromise at the hardware control layer.

Threat Overview

Security researchers identified multiple vulnerabilities across IP-KVM devices from several vendors. These issues stem from improper authentication controls, insecure configurations, and exposed management interfaces.

Successful exploitation allows attackers to:

  • Bypass authentication mechanisms entirely

  • Execute arbitrary commands remotely

  • Gain root-level access to the device

  • Pivot into connected systems and infrastructure

Because IP-KVM devices operate outside the operating system, compromise provides direct console-level access, independent of traditional security controls.

Below is a shortened list of current IP KVM vulnerabilities.

  • CVE-2026-32290 (CVSS score: 4.2) - An insufficient verification of firmware authenticity in GL-iNet Comet KVM (Fix being planned)
  • CVE-2026-32291 (CVSS score: 7.6) - A Universal Asynchronous Receiver-Transmitter (UART) root access vulnerability in GL-iNet Comet KVM (Fix being planned)
  • CVE-2026-32292 (CVSS score: 5.3) - An insufficient brute-force protection vulnerability in GL-iNet Comet KVM (Fixed in version 1.8.1 BETA)
  • CVE-2026-32293 (CVSS score: 3.1) - An insecure initial provisioning via unauthenticated cloud connection vulnerability in GL-iNet Comet KVM (Fixed in version 1.8.1 BETA)
  • CVE-2026-32294 (CVSS score: 6.7) - An insufficient update verification vulnerability in JetKVM (Fixed in version 0.5.4)
  • CVE-2026-32295 (CVSS score: 7.3) - An insufficient rate limiting vulnerability in JetKVM (Fixed in version 0.5.4)
  • CVE-2026-32296 (CVSS score: 5.4) - A configuration endpoint exposure vulnerability in Sipeed NanoKVM (Fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4)
  • CVE-2026-32297 (CVSS score: 9.8) - A missing authentication for a critical function vulnerability in Angeet ES3 KVM leading to arbitrary code execution (No fix available)
  • CVE-2026-32298 (CVSS score: 8.8) - An operating system command injection vulnerability in Angeet ES3 KVM leading to arbitrary command execution (No fix available)

Technical Impact

IP-KVM devices are designed for remote administration and recovery. When compromised, they provide capabilities that far exceed typical endpoint or network access.

An attacker with control of an IP-KVM can:

  • Interact directly with system consoles at the BIOS or boot level

  • Capture credentials during login sessions

  • Mount malicious media or alter boot processes

  • Deploy malware outside the visibility of EDR tools

  • Maintain persistence without triggering traditional alerts

This effectively bypasses:

  • Endpoint Detection and Response (EDR)

  • Multi-Factor Authentication (MFA)

  • Operating system logging and controls

Why This Matters

These devices represent a blind spot in most security programs.

They are often:

  • Deployed without hardened configurations

  • Exposed to the internet for convenience

  • Missing from asset inventories

  • Not included in vulnerability management processes

We continue to see a pattern where attackers prioritize:

  • Edge devices

  • Management interfaces

  • High-privilege infrastructure

IP-KVM devices fall squarely into all three categories.

Risk Considerations

Organizations at elevated risk include:

  • Data centers and colocation environments

  • Managed Service Providers (MSPs)

  • Enterprises with remote infrastructure management

  • ICS and OT environments utilizing remote console access

If IP-KVM devices are exposed externally or accessible without strong controls, the risk should be considered critical.

Recommended Actions

Immediate Actions

  • Identify all IP-KVM devices across the environment

  • Remove direct internet exposure wherever possible

  • Rotate all credentials and disable default accounts

  • Apply available vendor patches and firmware updates

Short-Term Actions

  • Restrict access to management interfaces via VPN or zero-trust controls

  • Segment IP-KVM devices onto dedicated management networks

  • Implement monitoring for unauthorized access attempts

Strategic Actions

  • Treat IP-KVM devices as critical infrastructure assets

  • Include them in asset inventories and vulnerability management programs

  • Integrate logging into centralized monitoring platforms where supported

  • Reassess the necessity of externally accessible out-of-band management

Detection and Monitoring Guidance

Organizations should monitor for:

  • Unexpected access to KVM management interfaces

  • Authentication attempts from unfamiliar IP addresses

  • Configuration changes or firmware updates outside normal processes

  • Unusual system behavior that may indicate console-level interaction

Because visibility is often limited, network-level monitoring becomes critical.

References

  • The Hacker News – 9 Critical IP-KVM Flaws Enable Remote Attacks

  • Eclypsium Research on KVM Device Security Risks

  • Industry reporting on IP-based management interface exploitation