THE Hacker News reports nine critical IP KVM flaws across four vendors—GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM—uncovering unauthenticated root access risk and potential remote code execution. The flaws were discovered by Eclypsium, with the researchers warning that these are not exotic zero-days but fundamental failures such as missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces.
The vulnerabilities are catalogued as CVE-2026-32290, CVE-2026-32291, CVE-2026-32292, CVE-2026-32293, CVE-2026-32294, CVE-2026-32295, CVE-2026-32296, CVE-2026-32297, and CVE-2026-32298, with CVSS scores ranging from 3.1 to 9.8 and some fixes already in place (for example, JetKVM updates and NanoKVM versions) while others remain unpatched.
The analysis notes that an attacker could inject keystrokes, boot from removable media to bypass protections, circumvent lock screens, or remain undetected by OS-level security software, given the devices’ remote BIOS/UEFI access. Mitigations include enforcing MFA where supported, isolating KVM devices on a dedicated management VLAN, restricting internet access, monitoring traffic, and keeping firmware up-to-date, according to Eclypsium.
This marks a continuing reminder that IP KVM devices can act as direct, silent channels to connected systems, underscoring the need for robust firmware validation and strong access controls.