CRITICAL: Your $30 KVM Switch Might Be the Weakest Link in Your Entire Network

Executive Summary

Eclypsium researchers disclosed nine critical vulnerabilities affecting low-cost IP KVM devices from four vendors: GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The most severe flaw (CVE-2026-32297) scores 9.8 CVSS and allows unauthenticated arbitrary code execution. These devices provide hardware-level keyboard, video, and mouse access to connected systems, meaning a compromised KVM gives attackers BIOS-level control invisible to endpoint security tools.

Vulnerability Details

Technical Analysis

There's a certain irony in spending six figures on firewalls, EDR, and zero-trust architecture only to have it all undone by a $30 device you bought on Amazon to remotely manage servers. IP KVM switches let administrators remotely access a machine's keyboard, video output, and mouse input over the network. Unlike remote desktop solutions that operate at the operating system level, these devices work at the hardware layer, giving you BIOS and UEFI-level access.

The affected products span GL-iNet Comet RM-1, Angeet ES3 KVM (also marketed under the Yeeso brand), Sipeed NanoKVM, and JetKVM. Researchers described the common themes across all vulnerabilities as "damning" — missing firmware signature validation, no brute-force protection on authentication, broken access controls, and exposed debug interfaces. These are fundamental security controls that any networked device should implement as a bare minimum.

The worst of the bunch is CVE-2026-32297, which earned a CVSS score of 9.8. This vulnerability in the Angeet ES3 KVM stems from a complete lack of authentication for critical functions, allowing arbitrary code execution. The Angeet device also suffers from CVE-2026-32298, an OS command injection flaw providing another path to arbitrary command execution. Neither vulnerability has a fix available, and given that Angeet products tend to be white-labeled Chinese hardware, one probably isn't coming.

The attack scenarios enabled by these vulnerabilities are nightmare fuel for security teams. An adversary who compromises one of these KVM devices can inject keystrokes to execute commands, boot from removable media to bypass disk encryption or Secure Boot protections, circumvent lock screens, and maintain access to systems in ways that remain completely invisible to any security software running at the operating system level.

Similar IP KVM switches like PiKVM and TinyPilot have already been documented in use by North Korean IT workers operating laptop farms. These workers use remote KVM access to connect to company-issued laptops while pretending to work from legitimate locations.

Indicators of Compromise

Organizations should audit their networks for these device types and check for unexpected network traffic patterns. Use Shodan queries to identify any internet-exposed KVM management interfaces. Monitor for unauthorized firmware updates or configuration changes on KVM devices.

Remediation Steps

For JetKVM users, update immediately to version 0.5.4 or later. Sipeed NanoKVM users should update to version 2.3.1 (or Pro 1.2.4). GL-iNet Comet users can apply version 1.8.1 BETA for partial fixes, though firmware verification issues remain unpatched. Angeet/Yeeso ES3 KVM users should consider replacing these devices entirely as no fixes are planned.

All organizations should isolate KVM devices on a dedicated management VLAN, restrict any internet access to these devices, enforce multi-factor authentication where supported, and monitor for unexpected network traffic to and from KVM devices.

Timeline

References

[{"title": "Eclypsium IP KVM Research", "url": "https://eclypsium.com/blog/ip-kvm-vulnerabilities-2026/"}]