Ddos 
Image credit: https://jetkvm.com/products/jetkvm
Security researchers Reynaldo Vasquez Garcia and Paul Asadoorian from Eclypsium have issued a warning regarding a category of hardware often overlooked by IT departments: the Keyboard, Video, and Mouse (KVM) switch. In a new technical deep dive, the researchers demonstrate that compromising these devices is not just a peripheral issueβit is a total system takeover.
As remote management becomes the norm, low-cost IP-KVM devices are flooding the market, bringing with them a “door wide open” vulnerability that bypasses almost every modern software-based security control.
The danger of a compromised KVM lies in its position within the hardware stack. Because these devices sit between the user and the physical machine, they operate at a level that security softwareβlike Endpoint Detection and Response (EDR)βcannot see or touch.
“Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it. Not ‘kind of like’ physical access. Actual keyboard, video, and mouse control, at the BIOS level, below the operating system, below EDR, below every security control you have deployed.”
By exploiting this access, an attacker can perform actions that usually require a human to be standing in the data center. This includes entering the BIOS to disable Secure Boot, bypassing Windows lock screens, or using USB emulation to boot the entire system from a malicious remote image.
One of the most potent features of modern KVMs is their ability to emulate USB devices, often referred to as “Linux USB Gadgets.” This allows the KVM to act as a “BadUSB” device, injecting keystrokes at superhuman speeds to execute commands or download malware.
The researchers point out an irony: security-conscious organizations often prohibit employees from plugging in unknown USB drives, yet they remain connected to KVMs that possess the exact same capabilities.
“An attacker does not need to deploy their own Rubber Ducky to inject keystrokes. The KVM that the user is already connected to does the job.”
The research isn’t just theoretical. The FBI recently visited high-profile tech figures to discuss these exact concerns, and Microsoft has documented North Korean (DPRK) remote workers using IP-KVM devices like PiKVM to maintain “physical” control over employer-provided machines from thousands of miles away.
Furthermore, the “keys to the kingdom” can be stolen before the device even reaches the customer.
“A supply-chain attacker could tamper with the firmware at distribution time and have it persist indefinitely.”
Researcher exposed 9 vulnerabilities across 4 KVM vendors, spanning 7 distinct vulnerability classes:
| Vendor | Product | CVE | Vulnerability | CVSS 3.1 | Patch Status |
|---|---|---|---|---|---|
| GL-iNet | Comet RM-1 | CVE-2026-32290 | GL-iNet Comet KVM insufficient verification of firmware authenticity | 4.2 | Fix being planned. |
| GL-iNet | Comet RM-1 | CVE-2026-32291 | GL-INet Comet KVM UART root access | 7.6 | Fix being planned. |
| GL-iNet | Comet RM-1 | CVE-2026-32292 | GL-INet Comet KVM insufficient brute-force protection | 5.3 | Fixed in v1.8.1 BETA |
| GL-iNet | Comet RM-1 | CVE-2026-32293 | GL-iNet Comet KVM Insecure Initial Provisioning via Unauthenticated Cloud Connection | 3.1 | Fixed in v1.8.1 BETA |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32297 | Angeet ES3 KVM unauthenticated file | 9.8 | No fix available |
| Angeet/Yeeso | ES3 KVM | CVE-2026-32298 | Angeet ES3 KVM OS command injection | 8.8 | No fix available |
| Sipeed | NanoKVM | CVE-2026-32296 | Sipeed NanoKVM configuration endpoint exposure | 5.4 | Fixed in NanoKVM v2.3.1 and NanoKVM Pro 1.2.4 |
| JetKVM | JetKVM | CVE-2026-32294 | JetKVM insufficient update verification | 6.7 | Fixed in version 0.5.4 |
| JetKVM | JetKVM | CVE-2026-32295 | JetKVM insufficient rate limiting | 7.3 | Fixed in version 0.5.4 |
Eclypsiumβs findings suggest that many of these devices are currently “hanging on the network with the door wide open.” To secure these critical assets, the researchers recommend an immediate audit and the following defensive steps:
- Network Isolation: Place all KVM devices on a dedicated management VLAN.
- Zero Internet Exposure: Never expose KVM web interfaces directly to the internet; use secure VPNs like WireGuard or Tailscale for remote access.
- Strong Authentication: Enable Multi-Factor Authentication (MFA) and move away from default or weak passwords.
- Firmware Vigilance: Ensure devices are running the latest patched firmware (e.g., NanoKVM v2.3.1 or later).
- Active Inventory: Scan your environment for “shadow” KVMs using tools like Shodan to find exposed JetKVM or NanoKVM instances.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
