Vulnerabilities in IP-KVM Devices - Critical Security Risks
Basically, hackers can control computers through flaws in cheap devices that connect keyboards, mice, and screens.
Recent vulnerabilities in low-cost IP-KVM devices pose serious risks. Attackers can gain BIOS-level control, bypassing security measures. Organizations must act quickly to secure their networks.
The Flaw
A recent assessment has revealed nine severe vulnerabilities across four popular low-cost IP-KVM devices. These devices, which allow remote control of computers via keyboard, video, and mouse, have critical flaws that enable attackers to gain complete, BIOS-level control over connected systems. This means they can bypass all operating system security measures and Endpoint Detection and Response (EDR) agents. Essentially, compromising a KVM device gives attackers the equivalent of physical access to every connected machine.
The vulnerabilities stem from fundamental security hygiene failures, including missing firmware signature validation, exposed debug interfaces, and broken access controls. For instance, one of the most severe issues affects the Angeet ES3 KVM, which allows for unauthenticated file uploads that can lead to remote code execution with root privileges. This level of access is alarming, as it can be exploited without any user interaction.
What's at Risk
The impact of these vulnerabilities is significant. Recent scans have identified over 1,600 devices directly exposed to the internet, creating a vast attack surface for malicious actors. With attackers able to inject keystrokes, boot from removable media, and alter BIOS setups, the potential for damage is extensive. The vulnerabilities affect devices from manufacturers like GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, typically priced between $30 and $100.
The FBI has investigated threats related to KVMs, highlighting that North Korean state-sponsored actors have utilized these devices for remote control over corporate laptops. This underscores the urgency of addressing these vulnerabilities to prevent exploitation.
Patch Status
Currently, the affected vendors are aware of the vulnerabilities and are working on patches. However, the urgency of the situation cannot be overstated. Organizations must inventory their environments for undocumented KVMs and apply the latest firmware updates as soon as they are available. The vulnerabilities include:
- CVE-2026-32290: Insufficient firmware verification (CVSS 4.2)
- CVE-2026-32297: Unauthenticated file upload (CVSS 9.8) These CVEs represent critical risks that need immediate attention.
Immediate Actions
To protect enterprise networks from these severe out-of-band management threats, security teams should treat IP-KVM devices as critical infrastructure. Isolate all KVM devices on dedicated management VLANs and ensure they are never exposed directly to the internet. Access should be strictly gated behind strong authentication and Virtual Private Networks (VPNs). Additionally, organizations should monitor outbound network traffic for anomalies and remain vigilant about the potential for exploitation.
By taking these proactive measures, organizations can significantly reduce the risk posed by these vulnerabilities and protect their critical systems from unauthorized access.
Cyber Security News