Cybersecurity researchers have warned about the risks posed by low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, which can grant attackers extensive control over compromised hosts.
The nine vulnerabilities, discovered by Eclypsium, span four different products from GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe of them allow unauthenticated actors to gain root access or run malicious code.
“The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces,” researchers Paul Asadoorian and Reynaldo Vasquez Garcia said in an analysis.
With IP KVM devices enabling remote access to the target machine’s keyboard, video output, and mouse input at the BIOS/UEFI level, successful exploitation of vulnerabilities in these products can expose systems to potential takeover risks, undermining security controls put in place. The list of shortcomings is as follows –
- CVE-2026-32290 (CVSS score: 4.2) – An insufficient verification of firmware authenticity in GL-iNet Comet KVM (Fix being planned)
- CVE-2026-32291 (CVSS score: 7.6) – A Universal Asynchronous Receiver-Transmitter (UART) root access vulnerability in GL-iNet Comet KVM (Fix being planned)
- CVE-2026-32292 (CVSS score: 5.3) – An insufficient brute-force protection vulnerability in GL-iNet Comet KVM (Fixed in version 1.8.1 BETA)
- CVE-2026-32293 (CVSS score: 3.1) – An insecure initial provisioning via unauthenticated cloud connection vulnerability in GL-iNet Comet KVM (Fixed in version 1.8.1 BETA)
- CVE-2026-32294 (CVSS score: 6.7) – An insufficient update verification vulnerability in JetKVM (Fixed in version 0.5.4)
- CVE-2026-32295 (CVSS score: 7.3) – An insufficient rate limiting vulnerability in JetKVM (Fixed in version 0.5.4)
- CVE-2026-32296 (CVSS score: 5.4) – A configuration endpoint exposure vulnerability in Sipeed NanoKVM (Fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4)
- CVE-2026-32297 (CVSS score: 9.8) – A missing authentication for a critical function vulnerability in Angeet ES3 KVM leading to arbitrary code execution (No fix available)
- CVE-2026-32298 (CVSS score: 8.8) – An operating system command injection vulnerability in Angeet ES3 KVM leading to arbitrary command execution (No fix available)
“These are not exotic zero-days requiring months of reverse engineering,” the researchers noted. “These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”
An adversary can weaponize these issues to inject keystrokes, boot from removable media to bypass disk encryption or Secure Boot protections, circumvent lock screens and access systems, and, more importantly, remain undetected by security software installed at the operating system level.
This is not the first time vulnerabilities have been disclosed in IP KVM devices. In July 2025, Russian cybersecurity vendor Positive Technologies flagged five flaws in ATEN International switches (CVE-2025-3710, CVE-2025-3711, CVE-2025-3712, CVE-2025-3713, and CVE-2025-3714) that could pave the way for denial-of-service or remote code execution.
What’s more, such IP KVM switches like PiKVM or TinyPilot have been put to use by North Korean IT workers residing in countries like China to remotely connect to company-issued laptops hosted on laptop farms.
As mitigations, it’s recommended to enforce multi-factor authentication (MFA) where supported, isolate KVM devices on a dedicated management VLAN, restrict internet access, use tools like Shodan to check for external exposure, monitor for unexpected network traffic to/from the devices, and keep the firmware up-to-date.
“A compromised KVM is not like a compromised IoT device sitting on your network. It is a direct, silent channel to every machine it controls,” Eclypsium said. “An attacker who compromises the KVM can hide tools and backdoors on the device itself, consistently re-infecting host systems even after remediation.”
“Since some firmware updates lack signature verification on most of these devices, a supply-chain attacker could tamper with the firmware at distribution time and have it persist indefinitely.”
