Recent research by Eclypsium has revealed a cluster of nine security vulnerabilities in popular low‑cost IP KVM devices, priced roughly between 30 and 100 USD. These remote management tools operate at the BIOS/UEFI level, giving administrators full console access to servers before the operating system loads. In several cases, the flaws allow unauthenticated attackers to obtain root access or execute arbitrary code, bypassing operating system defenses entirely.
Why IP KVM Vulnerabilities Are So Dangerous for Server Security
IP KVM (Keyboard‑Video‑Mouse over IP) solutions provide out‑of‑band access to servers: they let administrators see the boot process, change BIOS/UEFI settings, and mount remote images as if they were physically present in the data center. This makes them extremely useful for operations — and equally attractive for attackers.
Once an IP KVM is compromised, an attacker can control the server’s console, alter firmware settings, boot malicious images, and bypass host‑based security controls such as EDR, firewalls, or disk encryption pre‑boot protections. In practice, this is equivalent to gaining physical access to the system from anywhere on the internet.
Eclypsium’s analysis shows that these are not sophisticated zero‑day exploits. Instead, they stem from basic failures in network device security hygiene: weak or missing authentication, poor input validation, inadequate cryptographic checks on firmware updates, and lack of brute‑force protections. Similar issues were common in early IoT devices, but their presence in hardware that effectively grants physical control over servers drastically increases the impact.
Affected IP KVM Vendors and Key CVEs
Angeet/Yeeso ES3 KVM: Unauthenticated Remote Access and Code Execution
The most severe findings relate to Angeet/Yeeso ES3 KVM devices. Vulnerability CVE-2026-32297, rated 9.8 on the CVSS scale, enables an unauthenticated attacker to read arbitrary files on the device. A second flaw, CVE-2026-32298 (CVSS 8.8), allows operating system–level command execution via command injection.
Combined, arbitrary file read and remote command execution provide a straightforward path to full takeover of the IP KVM and the connected server. Eclypsium notes that no firmware patches were available for these issues at the time of disclosure, leaving organizations dependent on compensating controls such as strict network isolation.
GL‑iNet Comet RM‑1: Firmware Integrity, UART Root, and Cloud Setup Risks
Four vulnerabilities were identified in the GL‑iNet Comet RM‑1 platform:
CVE-2026-32290 (CVSS 4.2) reflects insufficient verification of firmware authenticity. In environments where an attacker can influence the update process, this opens the door to malicious firmware images, undermining supply‑chain and platform integrity principles described in standards such as NIST SP 800‑193.
CVE-2026-32291 (CVSS 7.6) allows root access via the UART interface. While this requires physical access, it is highly relevant in colocation facilities, managed service scenarios, or insider threat cases, where physical security cannot be assumed.
CVE-2026-32292 concerns weak protection against password brute‑forcing: the absence of strict limits on login attempts makes credential guessing practical. GL‑iNet has strengthened these controls in a beta firmware v1.8.1.
Finally, CVE-2026-32293 describes an insecure initial configuration process over an unauthenticated cloud connection, enabling interception or hijacking of first‑time setup. This issue is also addressed in beta firmware v1.8.1, and organizations should plan to upgrade to a stable release that includes these fixes.
Sipeed NanoKVM and JetKVM: Patched Vulnerabilities, Persistent Exposure
For Sipeed NanoKVM, identified vulnerabilities have been fixed in firmware v2.3.1. In JetKVM products, two flaws — CVE-2026-32294 and CVE-2026-32295 — were remediated in firmware version 0.5.4. While public descriptions of these bugs are limited, the security impact is clear: running outdated firmware leaves a critical window of opportunity for attackers.
Organizations relying on Sipeed NanoKVM or JetKVM should audit installed firmware versions and prioritize upgrades to releases where these vulnerabilities are resolved.
IP KVM vs. BMC: Expanding the Remote Management Attack Surface
Security researcher Hudson (HD) Moore, founder of runZero, highlights that misconfiguration of IP KVMs can be as dangerous as firmware flaws. His internet‑wide scanning identified more than 1,300 IP KVM devices exposed directly to the public internet, an increase of roughly one‑third compared with about 1,000 devices observed a year earlier.
Moore draws a direct parallel between IP KVMs and Baseboard Management Controllers (BMCs), which are already recognized as high‑value targets. Once an attacker compromises an IP KVM, compromising the attached server is typically straightforward, even if that server is hardened against conventional network attacks. Any breach in the out‑of‑band management plane undermines investments in segmentation, intrusion detection, and endpoint security.
Practical Security Measures for IP KVM and Remote Management
To reduce the risk associated with IP KVM vulnerabilities and unsafe configurations, organizations should implement the following controls:
1. Asset discovery and network scanning. Identify all IP KVMs in the environment, including legacy or “forgotten” devices. Use network scanners or specialized discovery tools to map management interfaces and verify exposure.
2. Prompt firmware updates. Check firmware versions for Angeet/Yeeso, GL‑iNet, Sipeed, and JetKVM devices. Upgrade to patched releases wherever available (at minimum Sipeed NanoKVM v2.3.1 and JetKVM 0.5.4, and a stable GL‑iNet version incorporating fixes from v1.8.1).
3. Network segmentation and restricted access. Do not expose IP KVMs directly to the internet. Place them in isolated management segments, accessible only via VPN or dedicated administrative networks, enforcing the principle of management plane isolation.
4. Hardened authentication. Use unique, complex passwords, enable multi‑factor authentication where possible, disable insecure cloud‑based initial setup paths, and always change factory default credentials immediately.
5. Monitoring and brute‑force protection. Enable and regularly review authentication logs, implement account and IP lockouts, and integrate IP KVM events into centralized SIEM solutions to detect abuse attempts.
6. Security‑aware procurement. When selecting IP KVM vendors, evaluate not only cost and features, but also the maturity of their security processes: frequency of firmware updates, transparency in vulnerability disclosure, and responsiveness to independent research.
The current wave of IP KVM vulnerabilities demonstrates that seemingly simple, inexpensive components can become entry points for attacks with maximum impact. The core issue is not exotic 0‑days but neglect of fundamental security principles in the design and deployment of remote management hardware. Organizations should treat IP KVMs and BMCs as critical security assets: systematically discover them, update firmware, isolate management networks, and enforce robust authentication and monitoring. Taking these steps proactively is essential to ensure that tools intended to simplify administration do not become the easiest path to a complete infrastructure compromise.
