Meta News

Nine IP KVM Flaws Expose Multiple Vendors to Unauthenticated Root Access and Remote Code Execution

Summary: Eclypsium has disclosed nine security flaws affecting low-cost IP KVM devices from four vendors, warning that the most severe issues can allow unauthenticated attackers to gain root access or execute arbitrary code on devices that provide BIOS-level control over connected systems.

Security researchers have disclosed nine vulnerabilities affecting low-cost IP KVM devices from four vendors, warning that the most severe flaws could allow unauthenticated attackers to gain root access or run arbitrary code. According to The Hacker News, the issues were discovered by Eclypsium across products from GL-iNet, Angeet or Yeeso, Sipeed and JetKVM.

IP KVM devices provide remote control over a target system’s keyboard, video output and mouse input, often at the BIOS or UEFI layer. That level of access makes them especially sensitive: if a device is compromised, an attacker may be able to bypass disk encryption workflows, interact with the boot process, evade operating system protections and maintain a persistent control channel outside the normal visibility of host-based security tools.

Eclypsium says the weaknesses include missing firmware signature verification, weak or absent brute-force protections, broken access controls and exposed debug interfaces. The most serious issues include CVE-2026-32297, rated 9.8, a missing-authentication flaw in Angeet ES3 KVM that can lead to arbitrary code execution, and CVE-2026-32298, rated 8.8, an operating system command injection bug in the same product. The disclosures also include multiple flaws in GL-iNet Comet KVM, JetKVM and Sipeed NanoKVM, with some fixes already available and others still pending.

The report argues that these are not highly complex edge-case vulnerabilities but rather basic security failures in a class of hardware that effectively grants physical-style access over the network. That combination makes the risk unusually serious for enterprises, labs and remote management environments that rely on KVM-over-IP devices for troubleshooting, administration or out-of-band access.

As mitigations, researchers recommend isolating KVM devices on dedicated management networks, restricting internet exposure, enabling multi-factor authentication where supported, monitoring unusual network traffic and keeping firmware up to date. The broader warning is that a compromised KVM can serve as a covert bridge back into every machine it manages, even after host remediation.

Key facts

  • Eclypsium disclosed nine vulnerabilities affecting IP KVM devices from four vendors.
  • The most severe flaws can allow unauthenticated root access or arbitrary code execution.
  • The affected vendors include GL-iNet, Angeet or Yeeso, Sipeed and JetKVM.
  • CVE-2026-32297 carries a CVSS score of 9.8 and affects Angeet ES3 KVM.
  • CVE-2026-32298 carries a CVSS score of 8.8 and also affects Angeet ES3 KVM.
  • Some products already have fixes available, while others still have planned or unavailable fixes.
  • Researchers recommend isolation, MFA where supported, restricted exposure and firmware updates as mitigations.

Why it matters

IP KVM devices sit below the operating system and can provide an attacker with privileged remote interaction that bypasses many normal security layers. When these products ship with weak authentication, unsafe firmware handling or exposed debug paths, they can become a high-impact infrastructure risk rather than just another embedded device issue.

Key metrics

  • Vulnerabilities disclosed: 9 flaws (Eclypsium disclosure covered by The Hacker News)
  • Affected vendors: 4 vendors (GL-iNet, Angeet or Yeeso, Sipeed and JetKVM)
  • Highest CVSS score: 9.8 (CVE-2026-32297 in Angeet ES3 KVM)
  • Second highest CVSS score: 8.8 (CVE-2026-32298 in Angeet ES3 KVM)
Tags:
ip kvm firmware network security hardware security iot security vulnerabilities remote access eclypsium

Structured details

  • Industry: cybersecurity
  • Source type: media
  • Claim status: confirmed
  • Verification: claimed_by_source
  • Entities: Eclypsium, GL-iNet, GL-iNet Comet RM-1, Angeet ES3 KVM, Yeeso, Sipeed NanoKVM, JetKVM, The Hacker News

Source: https://thehackernews.com/2026/03/9-critical-ip-kvm-flaws-enable.html

Published on