Critical IP KVM Flaws - Unauthenticated Root Access Exposed
Basically, serious flaws in KVM devices let hackers take control without permission.
Researchers have flagged nine critical flaws in IP KVM devices, allowing hackers to gain root access. Affected devices include GL-iNet and Angeet models. Immediate action is crucial to prevent extensive control over systems.
The Flaw
Cybersecurity researchers have identified nine critical vulnerabilities in low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices. These flaws, discovered by Eclypsium, span four different products: GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe vulnerabilities allow unauthenticated actors to gain root access and execute malicious code.
The vulnerabilities stem from fundamental security issues such as missing firmware signature validation, lack of brute-force protection, broken access controls, and exposed debug interfaces. These shortcomings enable attackers to exploit the devices and gain extensive control over the systems they manage, effectively undermining security protocols in place.
What's at Risk
The implications of these vulnerabilities are significant. With IP KVM devices providing remote access to a machine's keyboard, video output, and mouse input at the BIOS/UEFI level, successful exploitation could lead to complete system takeover. Attackers could inject keystrokes, boot from removable media, and bypass security measures like disk encryption or Secure Boot protections.
Moreover, the vulnerabilities are not just theoretical. They represent a direct threat to any organization using these devices, as they can be weaponized to maintain persistent access to compromised systems, even after remediation efforts. The potential for arbitrary code execution and command injection poses a severe risk to network security.
Patch Status
Among the nine vulnerabilities, several have been assigned CVE identifiers with varying severity scores. For instance, CVE-2026-32297 has a CVSS score of 9.8, indicating critical severity due to its ability to allow arbitrary code execution without authentication. Unfortunately, there is currently no fix available for this vulnerability.
On the other hand, some issues, like those in GL-iNet Comet KVM and JetKVM, have planned fixes or have already been addressed in recent firmware updates. Users are encouraged to update their devices promptly to mitigate these risks. However, the lack of signature verification for firmware updates raises concerns about potential supply-chain attacks.
Immediate Actions
To protect against these vulnerabilities, experts recommend several immediate actions. Organizations should enforce multi-factor authentication (MFA) where possible and isolate KVM devices on a dedicated management VLAN. Additionally, restricting internet access to these devices and monitoring for unexpected network traffic can help detect potential breaches.
Keeping firmware up-to-date is crucial, but organizations must also be wary of the risks associated with unverified updates. As noted by researchers, a compromised KVM device can serve as a silent channel to every machine it controls, making it imperative to address these vulnerabilities swiftly. The security landscape for IP KVM devices mirrors the early days of IoT devices, highlighting the need for robust security measures in networked environments.
The Hacker News