Researchers from Eclypsium have disclosed a total of nine critical vulnerabilities in IP KVMs from four manufacturers, highlighting the potential risks posed by these low-cost devices when improperly configured or exploited by hackers.
IP KVMs (Keyboard Video Mouse over Internet Protocol) allow remote access to machines on networks. These devices often sell for $30 to $100 and can provide access at the BIOS/UEFI level, making them powerful tools for administrators but also dangerous in the wrong hands. The disclosed vulnerabilities include unauthenticated root access, insufficient verification of firmware authenticity, and insecure initial provisioning via unauthenticated cloud connections.
The severity of these flaws is highlighted by the fact that they do not require months of reverse engineering as zero-day exploits might. Instead, they represent fundamental security controls such as input validation, authentication, and cryptographic verification that should be standard in any networked device.
Some vendors are already working on patches: GL-iNet has plans to fix several issues, while Sipeed and JetKVM have released updates addressing some of the vulnerabilities. However, Angeet/Yeeso’s ES3 KVM remains vulnerable with no fix available as of Tuesday.
In addition to these device-specific risks, the ease of deployment makes IP KVMs a potential threat to network security. Security expert HD Moore reported over 1,300 such devices on the internet, up from about 1,000 last June. This indicates that many organizations may have overlooked or misconfigured their KVM installations.
Administrators are advised to review and secure their IP KVM deployments by implementing strong access controls, regularly updating firmware, and ensuring proper configuration.